Secure Electronic Mail System

ABSTRACT

An e-mail system is disclosed that overcomes many deficiencies of, but is backward compatible with, existing e-mail systems. Embodiments of the system may include various features, including but not limited to: (1) secure transfer of e-mail messages, without the need for users to replace existing e-mail clients or to change e-mail addresses; (2) tracking of all actions performed in connection with an e-mail transmission; (3) the ability for a recipient to view information about an e-mail message, optionally including information about how other addressees have responded to it, before deciding whether to retrieve the e-mail message; (4) the aggregation of entire e-mail conversations into a single threaded view; (5) the ability to include both private and public messages in a single e-mail communication; (6) sender control over downstream actions performed in connection with an e-mail message; (7) flexible control over cryptographic methods used to encrypt emails messages for storage.

CROSS REFERENCE TO RELATED APPLICATIONS

This patent application is a continuation-in-part of and claims priorityto U.S. patent application Ser. No. 15/415,752, entitled SECUREELECTRONIC MAIL SYSTEM, and filed Jan. 25, 2017, which is a continuationof and claims priority to U.S. patent application Ser. No. 15/006,028,entitled SECURE ELECTRONIC MAIL SYSTEM, and filed Jan. 25, 2016, whichis a continuation of and claims priority to U.S. patent application Ser.No. 14/135,885, entitled SECURE ELECTRONIC MAIL SYSTEM, and filed Dec.20, 2013, which is a continuation of and claims priority to U.S. patentapplication Ser. No. 11/427,912, entitled SECURE ELECTRONIC MAIL SYSTEM,and filed Jun. 30, 2006, which in turn claims priority to U.S.Provisional Patent Application Ser. No. 60/696,300, entitled SECURE ANDTRACKABLE E-MAIL SYSTEM, and filed Jul. 1, 2005, the entire disclosuresof each of which are hereby incorporated herein by reference for allpurposes.

BACKGROUND OF THE INVENTION A. Field of the Invention

The present invention relates to electronic mail systems.

B. Description of the Related Art

E-mail, in its current state, is in dire need of a revisiting. Theexisting design and architecture allows for virus attacks, “spam” abuseand major security concerns. According to Computer Associates, 90% ofviruses are passed through e-mail, which makes users more cautious thanever about what e-mail they open. 51% of corporations have had a virusdisaster and six major viruses over the last five years have resulted in$20 B in estimated global costs. In 2005, more than 200 viruses activelyspread on the Internet resulting in approximately 0.65% of all e-mailmessages carrying a virus.

According to the Meta Group, 75% of all corporate knowledge iscommunicated via e-mail (2005). The number of corporate e-mail messagessent daily worldwide is expected to double by 2006, from 31 billionmessages to 60 billion. The cost of unsolicited e-mail to US andEuropean businesses last year amounted to $11.4 B. For ISPs the cost was$500M. In addition to the financial cost, this ever-growing problem ofunsolicited e-mail has created security, liability, and productivityissues for organizations.

The rapid growth of e-mail has resulted in an increasing awareness ofthe security threats and the need for solutions to safeguard corporatenetworks and data. In an ever-changing landscape of products, providersand services in this growing market, millions of dollars are spent everyyear trying to strengthen the infrastructure of corporations in order toprotect its data from spam and viruses.

Existing multi-layered protection methods typically consist of addingextra scanning processes, traps and quarantine areas, all within thenetwork of the corporation, to reduce spam and virus intrusions. Currenttrends suggest that these multi-layer methods cannot stop the increasein spam e-mail and viruses. Reinforcing the infrastructure is an ad hocsolution; by the time anti-spam and anti-virus protection systemsintercept the message, it already resides inside the corporation'sfirewall. In some cases it might not even be necessary to open themalicious e-mail; just receiving it may be enough to create damage(e.g., in the case of self-executable viruses). From a legalperspective, the digitization of documents has created a large problemin being able to track who has what copy and which was the originalversion. New trends surrounding archiving and tracking e-mailcommunications are covered daily by the press because of the followingpressure points which traditional e-mail does not cover:

-   -   Compliance: The Sarbanes-Oxley (US) compliance for the        Securities and Exchange Commission and the Health Insurance        Portability and Accountability Act (US) both require that valid        records of electronic communication between employees and        clients be kept. With traditional e-mail, guaranteed tracking        and auditability cannot be reliably achieved, and thus        compliance cannot reliably be achieved in any easy manner.        Public disclosure of confidential material: Traditional e-mail        has no way of tracking or recording unauthorized message        forwarding or interception. These pitfalls make e-mail an        unattractive solution for the transference of sensitive        materials.    -   Archiving: Archivists commonly require the original document not        to be changed or tampered with.    -   Records Management: Requirements often demand that all copies of        the original document be keep in an archive.

Existing e-mail network infrastructures and protocols (hereinaftercollectively “e-mail1”) have only limited tracking capabilities.Messages typically cannot be tracked between different e-mail serversand recipients; incomplete transactions due to different softwareconfigurations create non-guaranteed tracking records. Companiesoffering e-mail1 tracking systems typically either require users tochange e-mail addresses so that messages are routed through the sameserver, or worse, require HTML and JavaScript embedded into each messagein order to track executables (code) rather than the actual e-mailmessage.

Additionally, e-mail encryption methods, such as PKI, are not widelyused today despite their existence for more than 10 years. This ispartly because such technologies are not easy to use. For example, PKIrequires each user (sender and recipients) to manually set-up their owncertificate or private key, and then manually exchange this key withother users. Many users do not know how to manage their key files,creating security loopholes in the process.

Limitations of E-Mail1 Message Control and Metadata Functionality

Existing e-mail systems have several inherent limitations in the areasof message control and metadata functionality. Due to the architecturethat e-mail1 is based upon, many potentially useful features areimpossible or only possible to partially implement.

For example, using Microsoft's Outlook e-mail client, users have theoption to ‘recall’ a message. This feature potentially ‘un-sends’ ane-mail sent in haste, or one that was sent to the incorrect recipient.However, Outlook's recall functionality typically can only work withinan internal domain—a large company's e-mail network, for instance. Eventhen, different configuration settings on recipient computers can thwartattempts to recall messages. Because many of the people a usercommunicates with on a regular basis are not a part of the user'sinternal domain, this feature is significantly less useful than it couldbe.

As another example, many e-mail clients incorporate a ‘voting system’,but these tend to be available only for the simple task of providingfeedback to the initial sender. These voting systems do not generallyallow for more complex peer-to-peer or user-driven ratings in whichfeedback is available to persons other than the original sender.Further, such systems are generally not extensible in that they do notallow for easy introduction of new types of e-mail metadatafunctionality.

E-Mail1 Architecture and Backward Compatibility

Although the existing e-mail1 architecture is both outdated andineffective, e-mail1 is widely accepted as the worldwide standard foronline communication. There is an enormous amount of infrastructure,both hardware and software systems, devoted to maintaining andpropagating e-mail1 messages. Because of the universally massiveinvestment in e-mail1 infrastructure, it is desirable that any solutionto the multitude of problems found in e-mail1 be backwards compatible,and that it not disrupt the current flow of e-mail1 communication.

SUMMARY OF THE DISCLOSURE

An e-mail system is disclosed that embodies various inventive features.One feature of the system is a computer-implemented method of securelycommunicating e-mail messages. The method comprises receiving an e-mailmessage at a server system that implements a secure e-mail service, thee-mail message being from a sender that has an account with the securee-mail service, and being addressed to a recipient that does not have anaccount with the secure e-mail service. The method further comprisesstoring the e-mail message in encrypted form on the server system; andtransmitting, or causing the transmission of, a substitute message tothe recipient (e.g., via email1 protocols). The substitute message lacksat least some message content of the e-mail message, and includes a linkto a component that provides functionality for the recipient to securelyretrieve the e-mail message from the server system.

Another feature of the system is a computer-implemented method ofproviding for secure delivery of an e-mail message sent, via an e-mailclient running on a sender computing device, to a recipient e-mailaddress. The method comprises intercepting the e-mail message with ane-mail client plug-in running on the sender computing device, such thatan ordinary transmission of the e-mail message to the recipient e-mailaddress is blocked. The method also comprises sending the e-mail messageto a server system for storage thereon, and storing the e-mail messageon the server system in an encrypted form. The method further comprisessending a substitute message to the recipient e-mail address withinformation about the e-mail message. The substitute message includes akey for retrieving the e-mail message from the server system, and lacksat least some message content of the e-mail message.

Another feature of the system is an e-mail client plug-in. The e-mailclient plug-in is adapted to run in conjunction with an e-mail clientprogram on a user computing device, and is capable of intercepting ane-mail message sent from the e-mail client program such that an ordinarytransmission of the e-mail message is blocked. The e-mail client plug-inis also capable of causing the intercepted e-mail message to be sentover a network to a secure e-mail service for subsequent retrieval by arecipient to whom the e-mail message is addressed.

Another feature of the system is a computer-implemented method ofsecurely transferring an e-mail message addressed to at least onerecipient. The method comprises sending the e-mail message from a sendercomputing device to a server system for storage on the server system;and sending a notification message to an e-mail address of therecipient. The notification message includes a message key associatedwith the e-mail message, and lacks at least some message content of thee-mail message. The method further comprises, on a recipient computingdevice, prior to retrieving the e-mail message, using the message key asobtained from the notification message to retrieve, from the serversystem, e-mail message metadata associated with the e-mail message. Thee-mail message metadata is displayed on the recipient computing deviceto assist the recipient in determining whether to retrieve the e-mailmessage from the server system.

Another feature of the system is a method of collaboratively filteringe-mail messages. The method comprises receiving, at a server system, ane-mail message addressed to a plurality of recipients; and sendingnotification messages to each of the recipients regarding the e-mailmessage. The notification messages include information for retrievingthe e-mail message from the server system. The method further includesmonitoring actions performed by at least some of the recipients inconnection with the e-mail message, and based on such actions,generating dynamic metadata for the e-mail message. The dynamic metadatais communicated to a recipient that has not yet retrieved the e-mailmessage to assist said recipient in determining whether to retrieve thee-mail message. The dynamic metadata may, for example, indicate howother users rated the e-mail message, how many other users retrieved orrejected the e-mail message, how many users replied to or forwarded thee-mail message, etc.

Another feature of the system is a computer-implemented method ofproviding different versions of an e-mail message to differentrecipients. The method comprises detecting a send event of an e-mailmessage composed by a sender on a sender computing device, the e-mailmessage being addressed to at least a first recipient and a secondrecipient. The e-mail message includes a non-private message portionthat is not private to any particular recipient, and includes a privatemessage portion that is private to the first recipient. The method alsocomprises securely transferring the e-mail message to a server system,and storing the e-mail message on the server system such that both thenon-private and private message portions are stored in association witha common message identifier. The method further comprises providingrestricted access to the e-mail message as stored on the server systemsuch that the first and the second recipients have access to thenon-private message portion, and such that the first recipient but notthe second recipient has access to the private message portion.

Another feature of the system is a computer-implemented method ofproviding different versions of an e-mail message to differentrecipients. The method comprises detecting that an e-mail message beingcomposed by a user via an e-mail client program is addressed to at leasta first recipient and a second recipient. In response to detecting thatthe e-mail message is addressed to the first second recipients, ane-mail message composition user interface of the e-mail client programis supplemented to include a first private message entry area forentering a private message to the first recipient, and a second privatemessage entry area for entering a private message to the secondrecipient.

Another feature of the system is a method of facilitating viewing ofe-mail messages. Reply messages are received from each of a plurality ofrecipients of an original e-mail message sent by a sender, and arestored on a server system in association with the original e-mailmessage. The sender is presented with a single e-mail inbox entry thatrepresents the plurality of reply messages. In response to a requestinitiated by the sender in connection with the single e-mail inboxentry, the plurality of reply messages are retrieved from the serversystem, and are displayed to the sender as part of a single logicale-mail message.

Another feature of the system is a computer-implemented method forproviding a threaded display. The method comprises assigning a uniqueidentifier to an original e-mail message sent from a sender to aplurality of recipients; and storing the original e-mail message, and aplurality of reply messages to the original e-mail message, on a serversystem in association with the unique identifier of the original e-mailmessage. The plurality of reply messages include reply messages from atleast two different recipients of the original e-mail message. Themethod further comprises using the unique identifier to automaticallyaggregate at least the original e-mail message and the plurality ofreply messages into a threaded display.

Another feature of the system is a computer-implemented method offacilitating viewing of an e-mail conversation. The method comprisesidentifying a plurality of e-mail messages of an e-mail conversation.The plurality of e-mail messages include, at least, an originatinge-mail message sent to a plurality of recipients, reply messages from atleast two of the recipients, and at least one reply to one of the replymessages. The method further includes identifying a plurality ofsub-conversations of the e-mail conversation, each sub-conversationincluding a different respective sequence of e-mail messages; andgenerating a separate, chronological display of each sub-conversation.

Another feature of the system is an e-mail client plug-in stored on acomputer readable medium. The e-mail client plug-in is adapted to run inconjunction with an e-mail client program on a user computing device.The e-mail client plug-in is capable of intercepting e-mail messagessent from the e-mail client program, and causing the intercepted e-mailmessages to be communicated to recipients via a secure e-mail service.The e-mail client plug-in is additionally capable of retrieving aplurality of e-mail messages of a common e-mail conversation from thesecure e-mail service, and aggregating the plurality of e-mail messagesinto a threaded display.

The invention also comprises a secure e-mail system that comprises aserver system configured to store e-mail messages in an encrypted form.The server system provides functionality for addressees of the e-mailmessages to retrieve corresponding e-mail messages. The secure e-mailsystem also includes a cryptographic engine that encrypts the e-mailmessages for storage on the server system, and decrypts the e-mailmessages for delivery to the addressees. The secure e-mail systemfurther includes an interface that provides functionality for anadministrator to add an executable cryptographic method to thecryptographic engine, and to designate a particular executablecryptographic method to be used to encrypt/decrypt e-mail messages.

The invention also comprises a secure e-mail system that comprising acryptographic engine that includes a plurality of different executablecryptographic methods, at least some of which provide different levelsof encryption than others. The secure e-mail system also includes aplurality of e-mail services that run on the server system and use thecryptographic engine to encrypt and decrypt e-mail messages. Each of thesecure e-mail services is configured to use a particular one of theexecutable cryptographic methods, and at least some of the services areconfigured to use different executable cryptographic methods thanothers, so that different services provided different levels of securitythan others. The secure e-mail system further includes an e-mail clientcomponent that provides functionality for a sender of an e-mail messageto select from the plurality of e-mail services for sending the e-mailmessage to a recipient.

The invention also comprises a secure email system that comprises aserver system that hosts a secure e-mail service. The secure e-mailservice is configured to store e-mail messages from senders, andprovides functionality for addressees of the e-mail messages to securelyretrieve the e-mail messages. The secure email system also comprises aclient component that communicates with the server system using acommunications protocol that provides for encryption of messages. Theclient component provides functionality for users to send e-mailmessages to recipients via the secure e-mail service, and to initiateretrieval of e-mail messages from the secure e-mail service. The clientcomponent and the secure e-mail service collectively providefunctionality for a sender of an e-mail message to control whether arecipient of the e-mail message can forward the e-mail message to otherusers. The client component and secure email service may also providefunctionality for the sender to, e.g., control whether the recipient canreply to the e-mail message.

Another inventive feature of the disclosed system is acomputer-implemented method of controlling an e-mail conversation. Themethod comprises receiving a parent e-mail message from a sender, andstoring the parent e-mail message on a server system. The parent e-mailmessage is addressed to at least a first recipient, who is providedaccess to the parent e-mail message from the server system. The methodalso includes receiving a child e-mail message generated by the firstrecipient by forwarding or replying to the parent e-mail message, thechild e-mail message being addressed to at least a second recipient. Thechild e-mail message is stored on the server system in association withthe parent e-mail message, and the second recipient is provided accessto the child e-mail message from the server system. Subsequently, arequest to terminate an e-mail conversation associated with the parente-mail message is received at the server system from the sender of theparent e-mail message. In response to the request, at least one of thefollowing actions is performed: (a) blocking the first recipient fromforwarding and replying to the parent message, (b) blocking the secondrecipient from forwarding and replying to the child message.

The foregoing summary is not intended to be comprehensive of all of theinventions and inventive subject matter disclosed herein, and is notintended to limit the scope of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Specific embodiments and features of the e-mail system will now bedescribed with reference to the following drawings, which are intendedto illustrate, and not limit, the invention

FIG. 1 is a block diagram, describing major components and processes ofthe system.

FIG. 2 is a schematic, describing the architecture of the client plug-inaspect and service/server aspects of the system shown in FIG. 1.

FIG. 3 describes the processes of registration and activation inrelation to the major components of the system described in FIG. 1 andFIG. 2.

FIG. 4 is a workflow, detailing the processes of registration andactivation.

FIG. 5 describes, at a high level, how messages are created and sentusing the system described in FIG. 1 and FIG. 2.

FIG. 6 is a detailed workflow, describing how messages are created andsent using the system described in FIG. 1 and FIG. 2.

FIG. 7 is a representation of a graphical user interface in a standarde-mail client. It shows the extra menus, created and integrated into theexisting menu system by the plug-in described in FIG. 1 and FIG. 2.

FIG. 8 describes the process for adding multiple private messages to asingle conversation, as well as the process for combining privatemessages into private groups.

FIG. 9 describes the process for adding public sub messages,specifically using Microsoft Outlook with a plug-in (described in FIG. 1and FIG. 2) installed.

FIG. 10 describes the process for adding private sub-messages,specifically using Microsoft Outlook with a plug-in (described in FIG. 1and FIG. 2) installed.

FIG. 11 is an example of an eMail2 Message Access Key in its encryptedor obscured form.

FIG. 12 is an example of an eMail2 Message Access Key after beingdecrypted.

FIG. 13 is an example of an eMail2 Introductory Message.

FIG. 14 describes the general process for retrieving messages, includinghow access permissions are handled.

FIG. 15 is a detailed workflow, describing how a client plug-in(described in FIG. 1 and FIG. 2) retrieves messages from an externalservice.

FIG. 16 is an example of an eMail2 Access Message.

FIG. 17 is an example of an eMail2 Introductory Message, viewed throughthe preview pane in Microsoft Outlook.

FIG. 18 is an example of an eMail2 Access Message viewed through thereading window in Microsoft Outlook.

FIG. 19 describes the Bookmark Manager for a message with multiplesub-messages, replies or forwards.

FIG. 20 describes the structure of the message threading system.

FIG. 21 is a workflow describing how a user replies to or forwardsmessages. It is related to FIG. 5 and FIG. 6, as all three describesending processes in some form.

FIG. 22 is a workflow describing how a message is terminated by thesender.

FIG. 23 is a workflow describing how message tracking data is collected.

FIG. 24 is an example of the Incoming Message Preferences dialoginserted into Microsoft Outlook with a plug-in, described in FIG. 1 andFIG. 2.

FIG. 25 is an overview of how Registered Electronic Mail can be enabledin one implementation of the system (described in FIG. 1 and FIG. 2).

FIG. 26 is a workflow for encryption/decryption using theInterchangeable Crypto Engine (ICE).

FIG. 27A is a representation of the main toolbar that supplements ane-mail client after the plug-in (described in FIG. 1 and FIG. 2) isinstalled.

FIG. 27B is a representation of the reading toolbar that supplements ane-mail client after the plug-in (described in FIG. 1 and FIG. 2) isinstalled, and an eMail2 message is selected or opened.

FIG. 27C is a representation of the editing toolbar that supplements ane-mail client after the plug-in (described in FIG. 1 and FIG. 2) isinstalled, and en eMail2 message is being created, replied to orforwarded.

FIG. 28 is a representation of a delivery slip, as displayed in a webbrowser.

FIG. 29 is an example of a service administration web interface, whereservice administrators can configure various options and exercise adegree of control over the service (described in FIG. 1 and FIG. 2).

FIG. 30 is a block diagram describing the processes of communicationbetween a third party application, a service and a client plug-in.

FIG. 31 is an example of a metadata extension module, in the form thatit would be displayed on the delivery slip.

FIG. 32 is a process flow for a metadata extension module generating,displaying and exchanging information.

FIG. 33 is an overview of the general areas in the eMail2 system(described in FIG. 1 and FIG. 2) that can be protected by encryption orother security methods.

FIG. 34 describes the process for securely streaming and securelystoring multimedia messages.

FIG. 35 is an example of the message transactions that would constitutea “conversation” in eMail2 terminology. Reference to FIG. 35 is used todescribe the events, processes and elements in FIGS. 36-38.

FIG. 36 is an example of a message reading interface and bookmarkmanager, displaying an eMail2 conversation with the chronologicalthreading method.

FIG. 37A is an example of a message reading interface and bookmarkmanager, displaying an eMail2 conversation with the logical threadingmethod, for thread A.

FIG. 37B is an example of a message reading interface and bookmarkmanager, displaying an eMail2 conversation with the logical threadingmethod, for thread B.

FIG. 38 is a visual representation of a message reading interface windowfor a threaded eMail2 conversation.

FIG. 39 is a visual representation of the security matrix, an interfaceused to determine the registration options for a specific service.

FIG. 40 displays the service-level message options: an interface used todetermine whether options are available, what the default value is, andwhether users can override the default value.

FIG. 41 displays the process for validating an e2COM with the eMail2certification authority and subsequently registering the e2COM with theeMail2 ICE.

FIG. 42 depicts a secure messaging system including a sender computingdevice, a server system, a third party application server, and arecipient computing device, according to one embodiment of the presentdisclosure.

FIG. 43 schematically depicts an example email message, according to theembodiment of FIG. 42.

FIG. 44 schematically depicts an example substitute message, accordingto the embodiment of FIG. 42.

FIG. 45 depicts a flowchart of a method for use with a secure messagingsystem, according to the embodiment of FIG. 42.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS

An e-mail messaging system (hereinafter “eMail2”) that allows users tosecurely send and track electronic messages will now be described withreference to the drawings. The eMail2 system allows any organization tocreate its own Private E-mail Network (PEN) and decide who belongs toit. The eMail2.TM. system is very secure, fully auditable, andtrackable. eMail2 interoperates with existing e-mail networkinfrastructures and protocols (“e-mail1”), but adds extra layers ofsecurity and features. eMail2 is not necessarily a replacement fortraditional e-mail, it is a comprehensive upgrade that plugs existingsecurity holes and adds valuable layers of new features, all withoutinhibiting or constraining existing e-mail1 processes.

Embodiments of the eMail2 system may include various features, includingbut not limited to the following: (1) secure transfer of e-mailmessages, without the need for users to replace existing e-mail clientsor to change e-mail addresses; (2) tracking of all actions performed inconnection with an e-mail transmission; (3) the ability for a recipientto view information about an e-mail message, optionally includinginformation about how other addressees have responded to it, beforedeciding whether to retrieve the e-mail message; (4) the aggregation ofentire e-mail conversations into a single threaded view; (5) the abilityto include both private and public messages in a single e-mailcommunication; (6) sender control over downstream actions performed inconnection with an e-mail message; (7) flexible control overcryptographic methods used to encrypt emails messages for storage.

As will be recognized, many of the inventive features and aspects of theeMail2 system can be implemented without others, and can be implementedwithin very different types of e-mail systems than the system describedherein. By describing these features and aspects as part of a commone-mail system, no implication is made that any of these features oraspects need to be implemented in combination. More generally, nothingin this detailed description section is intended to imply that anyparticular feature or characteristic of the disclosed system is anessential component or aspect of the invention. Further, nothing in thepreceding background section is intended to imply that any particularproblem must be addressed or solved by the invention. The invention isdefined only by the appended claims.

1. OVERVIEW

eMail2 is a messaging system that interoperates with e-mail1 but usesalternative protocols (HTTPS and HTTP are just two examples) and allowsusers to securely send, track, and retrieve messages. When considered ata broad level, eMail2 has two major features:

-   -   1. eMail2 allows the user to actively participate in the message        retrieval process. While e-mail1 places the responsibility of        retrieving messages on the recipients' network infrastructure,        eMail2 preferably places that responsibility on the recipients        themselves. After reviewing associated message data, a user can        make an informed decision about the content that he or she        allows into his or her local environment. Thus, unlike e-mail1,        eMail2 does not unwittingly expose users' intranets and local        data to malicious e-mail content.    -   2. eMail2 changes the traditional e-mail “store and forward”        paradigm by enforcing a centralized message repository. E-mail        messages are preferably kept at a single location and retrieved        by users based on specific permissions. Because both        transmission and retrieval are preferably conducted in a secure        manner, and storage is preferably protected by encryption,        eMail2 messages are impervious to the common security flaws that        plague e-mail1.

One embodiment of the eMail2 system includes a plug-in component(hereinafter “eMail2 client plug-in”) that works in conjunction withexisting local-computing e-mail clients such as Outlook and Eudora. TheeMail2 client plug-in (FIG. 1, 108) may be a module that is installed ontop of an e-mail client 101 installation, or the functionality of theplug-in may be directly integrated into the e-mail client 101 such thatusers need not install an additional plug-in 108 or other add-oncomponent. Additionally, for server-hosted client situations, the eMail2client plug-in may be a server add-on. Alternatively, the functionalityof the eMail2 client plug-in 108 may be available via a web clientinterface 127 or helper application for web-based e-mail services.

The eMail2 client plug-in 108 communicates over a network, such as theInternet, with a service referred to as the eMail2 service 110. TheeMail2 service 110 may be implemented as a service system (one or morephysical servers) that executes associated service code. The service canbe implemented by a large scale eMail2 service provider, oralternatively, a single organization or company may run its own eMail2service 110. Although the terms “server” and “service” are used somewhatinterchangeably in this document, it should be understood that multipleeMail2 services can run on a single physical server or server system.

In one embodiment, when a new eMail2 message is created, an introductorymessage containing an encrypted message access key is sent to the eMail2message recipient(s). This introductory message may be sent by thesender's eMail2 client plug-in 108 using the sender's e-mail1 networkand infrastructure (e.g. SMTP server 103) or by the eMail2 service 110directly, and may be sent using email1 or a secure protocol. The contentand attachments of the eMail2 message may be encrypted and sent to aneMail2 service 110, preferably over a secure connection.

If the eMail2 client plug-in 108 is not installed on the recipient'scomputing device 100, the introductory message may appear in therecipient's inbox as a regular text e-mail message. This message mayinclude a link to an Internet address for downloading and installing theeMail2 client plug-in 108, a link to access the eMail2 web clientinterface 127, or an attached executable or script that implementseMail2 client plug-in functionality. If the eMail2 client plug-in 108 isinstalled on the recipient's computing device 100, the plug-in willextract the message key from the introductory message and automaticallyretrieve an access message from the eMail2 service 110. The messageaccess key contains information about the eMail2 service's location, thestatus of the eMail2 message, and a unique message ID. The messageaccess key in the preferred embodiment does not contain or serve as adecryption key.

The access message acts in part as a notification to the recipient thatthere is an eMail2 message on the eMail2 service 110 waiting to beretrieved. The access message may also contain information about theeMail2 message body and attachments. For example, the access message mayinclude information such as virus or spam scanning process results, thenumber of other recipients that have retrieved the message, and/or asummary of how other recipients have rated the message. The accessmessage allows the recipient to view this type of information. With theaccess message, the recipient may also retrieve, reject or ignore theeMail2 message, retrieve the message body only excluding anyattachments, or even simply retrieve a “text scan” of an HTML message toavoid exposing his or her e-mail client to malicious code often embeddedin HTML messages. On retrieval, the access message may be replaced bythe actual message.

Because the eMail2 client plug-in 108 is capable of handling the tasksof securely retrieving and decrypting the eMail2 message, there ispreferably no need to attach or otherwise include executable code,executable software, encryption/decryption keys, user keys, or privateuser information with any of the messages (including the introductorymessage and the access message) transmitted to the recipient's computingdevice 100.

2. SAMPLE FEATURES AND BENEFITS OF EMAIL2

Sample features of the eMail2 system may include but are not limited tothe following: (1) a seamless and conjunctive relationship withtraditional e-mail, optionally embodied through the use of a plug-in tointercept and re-route messages; (2) the ability to circumventrestrictions and pitfalls associated with traditional e-mail bybypassing and supplementing the traditional transport methods; (3) adramatic improvement in local and server-side security, optionallyembodied through the use of an Interchangeable Cryptography Engine (ICE)(FIG. 26, 123); (4) a centralized, secure message repository for storingall messages associated with a single conversation; (5) a comprehensivetracking system that allows for reliable message history and guaranteedaudits; (6) the ability to review messages and attachments beforeretrieving them to a local environment; (7) various upgrades to thefeature set of traditional e-mail (collectively called “metadataextensions”), including the ability to have private and non-privateconversations within a single e-mail communication, and to allowrecipients to respond in the same manner. Specific features aresummarized below, and are described in greater detail in subsequentsections.

Controlled, Centralized, and Secure Message Repository

Since all eMail2 messages are sent to an eMail2 service (FIG. 1, 110),the eMail2 service 110 acts as a controlled, centralized, and securemessage repository (Private E-mail Network). The messages and theirattachments are stored in an encrypted form on the eMail2 service/serversystem 110 and may be archived for any desired period of time. Whencreating a new eMail2 message, the sender may select which eMail2service 110 will handle and store the message and its message thread(replies, forwards, tracking information, etc.).

Increased End-to-End Transport Security

eMail2 message bodies and their attachments can be stored encrypted on auser's local computer. When eMail2 messages and attachments are sent toa service 110, they may be temporarily decrypted and sent over a secureprotocol (such as HTTPS). A secure protocol is essentially a direct,private tunnel between the client and the server, and as such, isresistant to interception techniques or security compromises. Uponarrival at the server 110, the eMail2 messages and attachments arepreferably immediately encrypted before storage, using the service's 110encryption methods.

Stored data can be decrypted, but preferably cannot be re-encrypted withdifferent information. Enforced through the admin interface, decryptionattempts and reasons for such attempts are sent directly to the involvedusers. This is assuming that the decryption attempts were legitimate. Ifa message were to be decrypted and then re-encrypted by an un-authorizedperson with different information in the body, header, or attachments,this would immediately be detected by the eMail2 system, and identifiedas such to the user and service 110. This identification couldoptionally be performed by a checksum value comparison.

With this preferred system, data is completely secure between the pointof origin and the destination, as well as secured during storage at bothpoints. Additionally, due to the decoupled relationship between theservice 110 and client 100 environments (namely, no secret encryptioninformation is shared between the two sides), a security breach at oneend will leave the other end remaining completely secure. Further,information generally cannot be tampered with between point A and pointB, as it is stored and transferred securely at all times.

Though it is not necessarily required, it is possible for eMail2 to beimplemented in tandem with other e-mail security solutions (such as PKIor PGP) to provide even further increased transport security.

Seamless Use of Encryption Keys

From the user's perspective, the process of encrypting and decryptingeMail2 messages is seamless. These security features are embedded in theeMail2 client plug-in 108 and the eMail2 service and require no extraeffort on the part of the user. Each eMail2 message is preferablyencrypted during storage, and preferably only transferred over a secureprotocol (such as one from the popular TCP/IP suite of protocols). Sincethese messages are protected from creation to retrieval, it is difficultor impossible to change their content (message body and any attachments)during the transaction. It is also difficult or impossible forunauthorized users to retrieve or intercept messages and attachments.Self-executable viruses generally cannot infect an eMail2 service 110and propagate themselves, resulting in an overall safer global network.

Interchangeable Crypto Engine

In addition to the seamless use of encryption keys, the eMail2 systempreferably makes use of a unique Interchangeable Cryptography Engine(ICE) (FIG. 26, 123). The ICE is implemented either on the client side(FIG. 1, 100) or the service side 110 of the service, and allowsadministrators to select custom or third party encryption algorithms toprotect messages stored in the services they manage. New encryptionmethods or systems can be registered with the ICE (FIG. 26, 123) as theyemerge, allowing an eMail2 installation to offer the highest possiblelevels of security to clients.

Co-Existence with Traditional E-Mail

No changes are necessarily required to a user's e-mail address or e-mailserver/internet service provider to start retrieving eMail2 messages. Asmentioned previously, the eMail2 client plug-in (FIG. 1, 108) may handleall of the added client-side functionality of eMail2.

Users that wish to initiate a new eMail2 message may do so bysubscribing to an eMail2 service 110. Such a service may be provided byanyone, including national or local ISPs (AOL, MSN), web-based e-mailproviders (Yahoo Mail, Hotmail, Gmail) or security service providers(Verisign, Symantec). Users may subscribe to any number of eMail2services 110 and choose the appropriate service 110 to serve each newmessage. Preferably, recipients do not need to subscribe to any eMail2service 110 in order to retrieve or reply to eMail2 messages.Preferably, all replies to an eMail2 message are served by the eMail2service 110 on which the original message was created, although linkagesbetween email2 servers are contemplated and discussed below.

Each eMail2 service 110 may offer value-added features such as differentsecurity, encryption and storage options. Any organization can alsoset-up its own eMail2 service 110 internally and/or subscribe toexternal eMail2 services 110. Preferably, all eMail2 services 110 areable to interoperate with the same version of the eMail2 client plug-in108 (i.e., the eMail2 client plug-in 108 is preferably universal to anyeMail2 service 110).

In some embodiments, multiple eMail2 services 110 can be linked by theservice administrators to allow for routing across disparate eMail2services, or alternatively, only among trusted services. In such a case,the message may be ‘owned’ by the initiating service 110, but copies maybe stored at other locations. This provides for sharing tracking resultsacross multiple companies. For example, if Company A wants tocommunicate with Company B, but both want to be able to universallyaccess tracking and service information, the administration may be ableto set up both services so that in defined instances, tracking andservice information can be shared. If more than one service is hostingcopies of the message, this may be disclosed in the access message andtracking information, possibly in the “service” section of therespective items.

In other cases, where special arrangements have not been made betweenservices, eMail2 messages for a specific service 110 are preferably onlyhosted by and acted upon by the service 110 with which they wereinitiated. Although multiple eMail2 services 110 and service providersare contemplated, the system may be implemented with only a singleeMail2 service 110 and service provider.

Proactive Message Summary: The Access Message and Delivery Slip

Allowing recipients to manually retrieve messages after reviewing theaccess message substantially reduces the probability that theircomputers will become infected by an e-mail virus. The access messagemay contain information such as, but not limited to, the identity of thesender, the identity of the recipient(s), whether any local anti-spamand anti-virus scanning has been performed, a brief summary of message,metadata associated with attachments to the message, etc. (See FIGS. 16and 17). Access messages containing inappropriate key strings or viruswarnings can be blocked and deleted by the recipient or the recipient'scomputer system (FIG. 1, 100). The access message is retrieved from aneMail2 service 110 using the introductory message that is initially sentto the recipient. Since the introductory message may be sent viae-mail1, it can go through all of the anti-spam and anti-virus scanningprocesses 102 currently in use.

In one embodiment, the access message exists as an e-mail message in therecipient's inbox, and may replace the introductory messageautomatically when the eMail2 client plug-in 108 is installed. Users mayalso have the option to view a web-based version of the access messagecalled the “delivery slip.” The delivery slip (FIG. 30, 806) may containthe same information as the access message, less information, or moreinformation, and is fully customizable within an eMail2 service (FIG. 1,110). In embodiments that include a web client interface 127, thedelivery slip (FIG. 30, 806) is also a part of the web client interface(FIG. 1, 127). As such, users can not only view metadata, but may alsobe able to retrieve or perform other actions with the eMail2 messages,such as replying, forwarding, downloading attachments, and so forth.

Customized Private Messages

Some embodiments of the eMail2 system allow users to combine public andprivate “sub-messages” into a single logical eMail2 message. Forexample, a sender may create a public sub-message that is viewable byall recipients, and additionally embed into the eMail2 messagecustomized private sub-messages to a sub group of recipients and/or eachindividual recipient (See FIG. 8). Recipients preferably retrieve fromthe eMail2 service the public sub-message to “All” as well as theirindividual private sub-messages (possibly including individualattachments). The public and private sub-messages preferably appear tothe recipient as a single logical eMail2 message in his or her inbox.Each recipient can reply in the same secure fashion to any recipientsoriginally included in a given sub-message and may add new recipients(See FIG. 8) subject to the forwarding controls put in place by thesender. FIGS. 9 and 10 provide visual representation of custom privatemessages in a real-world setting.

Unique Message Threading

Each eMail2 message (and sub-message) is assigned a unique message IDand, if appropriate, a unique parent message ID. As a result, anoriginal message and all of its replies can be tracked and assembled.For example, these IDs allow an e-mail client to combine all replies tothe same eMail2 message into a single inbox entry.

P2P Event-Based and Transactional Data: Ratings and Surveys

Some embodiments of the eMail2 system may provide peer-to-peerevent-based and transactional functions that link the sender andrecipients of an eMail2 message. Because all eMail2 messages in aconversation are served by the same service 110, users can be linkeddirectly to their actions, and reliable records of said actions can bekept. This allows for the possibility of features like rating and surveysystems for e-mails, in which recipients can, prior to retrieving agiven message, see if other recipients rated the message as valuable.User-to-action links may include interoperability with social networkingsystems.

One of the largest benefits of such an approach is the ability toseamlessly display metadata in real time via a secure browser window.Survey, rating and voting results (e.g., average rating) can begenerated and updated in front of the user's eyes.

Additionally, the rating or survey functionality of a message is notnecessarily limited to a sender-recipient relationship. Peer-to-Peer(p2p) ratings and surveys are possible, allowing recipients to viewmetadata generated by other recipients.

Real-Time E-Mail Tracking Accountability & Auditability

Because eMail2 messages are not sent via traditional e-mail1 protocols,it is possible with eMail2 to track the entire lifecycle of a message(send, retrieve, forward, reject, delete. etc.). As each recipientretrieves, forwards or rejects their intended message, the sender and/orrecipients can monitor the status of these transactions. The eMail2system may also include web services that can be customized intoexisting applications such as online e-commerce engines, supply chainmanagement deployments, CRM applications, etc., enabling flawlesstransactions throughout the entire cycle.

Complete Message Control and Termination

In some embodiments, the originator of a message has a level of controlover the future use of that message. The options to terminate a message,change policies or control permissions may be held by the senderthroughout the entire lifecycle of a conversation. In some embodiments,upon creating a new message, the sender can decide whether or notrecipients can reply to the message, forward it, or see the trackingmetadata associated with it. Preferably, these options can still beexercised by the sender after the message has already been sent. As anexample of message control, the sender may be able to enforce a policyfor a message that will require that the initial recipients request thesender's permission before forwarding a message to a third party. Thispermission may include global permission (to allow all forwarding by therecipient) or per-3.sup.rd-party permission (where the sender mayapprove or deny forwarding to specific 3.sup.rd-parties).

The current generation of e-mail, built on an outdated architecture,does not provide for the same level of message control. Message controlfeatures, such as termination and requiring permission to forwardmessages, are a direct result of the new architectural system that is apart of eMail2 and are generally not possible within the bounds of ane-mail1 framework.

Termination, essentially freezing the conversation in time, can beespecially useful in contract negotiations, legal disputes, e-commercecommunication and the general prevention of the dissemination ofsensitive information. Senders have the option of choosing between softtermination, wherein users are prevented from performing further actionon an eMail2 message, such as forwarding or replying, or hardtermination, wherein users are prevented from accessing the messageagain, as well as prevented from performing further action on the eMail2message.

Registered Electronic Mail

The eMail2 system, when optionally composed of message retrieving,storing, threading and tracking processes, seamless use of encryptionkeys and digital signature auditing, allows for a true “registeredelectronic mail” application. For example, eMail2 allows for laterretrieval of messages and activity logs over a secure web basedinterface (FIG. 1, 127). eMail2 services 110 may offer secure eMail2transaction services where the complete transaction is monitored andrecorded. The messages (and their attachments) may be saved in anencrypted form on the eMail2 service/server 110 and may be recoveredlater by a third party organization, such as a legal entity, in order toprove that the transaction actually occurred. The encryption inhibitsunauthorized users from tampering with the messages and theirattachments.

eMail2 re-creates the business process of traditional registered snailmail, but electronically, or paperless. In one embodiment, all messagecontents and attachments are stored encrypted, certified and availablefor later retrieval, in their original condition, by any authorized user(such as a legal entities), proving that the transaction actuallyoccurred without any possibility to have it tampered with over time.

As an example, financial institutions are struggling to comply with SECrule 17a-4 which says they must record all electronic communicationbetween employees and clients. Although the rule has been in effectsince 1997, only recently have regulators come down on the industry byfining such firms as Deutsche Bank, Goldman Sachs, Salomon Smith Barneyand Morgan Stanley, among others. Not wanting to join this dubious list,financial-services firms are now faced with the task of investingmillions of dollars in e-mail archival and retrieval systems or facefines and, even more seriously, a damaged reputation.

eMail2 introduces a robust solution for archiving and retrieving all ofthe e-mail content and its associated tracking details, ensuring thatthe complete range of electronic communications of specific users andgroups is fully archived and auditable. In one embodiment, eMail2 makescompliance transparent, ensures the security of archived e-mail,supports legal and litigation processes and addresses compliancerequirements worldwide.

Private E-Mail Networks

The structure of eMail2 allows for the creation of Private E-mailNetworks (PENs). PENs are communication networks that functionindependently of traditional e-mail networks, but preferably do notpreclude users from using their regular e-mail address, e-mail client,or communication methods. As the name implies, PENs are private, but thelevel of privacy is preferably directly tailored to the needs of aneMail2 client. With eMail2, it is possible for a large business (e.g. anAmerican HMO) to run its own eMail2 service and only allow hospitalemployees and patients to communicate through it. Alternatively, ageneral purpose eMail2 service provider could offer securecommunications to anyone willing to join or subscribe to its services.

Members of eMail2 PENs preferably can belong to more than one networkand may decide on a per message basis which PEN service to use. Everysubsequent activity (e.g. replying and forwarding) is preferably drivenfrom the PEN service originally chosen by the sender. Even messagerecipients who are not members of a sender's PEN are able to retrievemessages from the sender's specified PEN. This increases security byreducing the number of times an eMail2 message is kept in storage, andtherefore reducing the chance that data could be compromised.

So, for example, a single HMO could institute multiple PENs for multipleusers and with different security policies: A high-security PEN withstrong cryptography, virus scanning, message access controls, andtracking for emails relating to patient health records; amedium-security PEN with medium security, fewer message access controls,and tracking for intra-office business communication; and alow-security, low-tracking general purpose PEN for non-businesscommunication.

The eMail2 system need not itself include any anti-spam software,anti-virus software, blacklist software, encryption key or a TCP/IPprotocol, but may instead work in conjunction with pre-existing softwarefor handling these tasks. Furthermore, eMail2 is not a different e-mailmessaging system to replace MS Exchange, Outlook, etc, or another webbased e-mail system like Gmail or Hotmail.

3. ARCHITECTURAL COMPONENTS OF THE PREFERRED EMBODIMENTS

The components and subcomponents depicted in FIG. 1 can be logicallydivided into four areas: the sender and recipient's local computingdevices (FIG. 1, 100) (PCs, Personal Digital Assistants, set-toptelevision boxes, etc.), the eMail2 service 110 (comprised of one ormore servers), traditional e-mail1 servers 103, and the communicationprotocols used to exchange information over the Internet.

While FIG. 1 illustrates a client plug-in-to-server communication model,it will be recognized that the system may also be implemented with webclient-to-server communication model, or even a server-to-servercommunication model. The system can also be effectively implementedacross terminal services/Citrix access type architecture withoutdeparting from the scope of the invention.

a. Sender and Recipient's Local Computing Devices

E-Mail Client [EC]

The e-mail client 101 is responsible for creating, exchanging, andviewing e-mail messages and may be a conventional e-mail1 client.Existing e-mail clients include MS Outlook, Eudora Mail, and LotusNotes. As used herein, “e-mail client” refers to any program (e.g.PC-based, web-based, PDA-based, etc.) that allows for the creation andmanagement of e-mail messages though existing e-mail protocols such asSMTP. Ordinarily, the e-mail client does not itself include any eMail2functionality, but rather relies on the eMail2 client plug-in 108 toprovide this functionality.

Anti-Virus/Spam Client [AVC]

Anti-virus/spam clients 102, which may include or consist ofconventional, pre-existing anti-virus and spam filtering software, maybe installed on the local computers or servers of the sender and/orrecipients 100 (or on the eMail2 service server 110) and are used toscan e-mail messages and attachments for malicious code or spam fromunwanted senders. In the preferred embodiment, these programs are not apart of the eMail2 system, but may be used in conjunction with eMail2.For example, the results of these scanning processes 102 may bedisplayed in the access message and delivery slip (FIG. 30, 806) of eacheMail2 message.

eMail2 Client Plug-In [e2CP]

The eMail2 client plug-in 108 is the client component used to exchangeeMail2 messages. The eMail2 plug-in is preferably universal (one versionper e-mail client such as Outlook for Windows, Mail for Apple) and isoptionally installed on both the sender and recipients' local computingdevices (FIG. 1, 100). The client plug-in is preferably responsible forcreating, sending, retrieving, and forwarding eMail2 messages andretrieving/sending tracking record(s) and other information provided byan eMail2 service 110. It also incorporates the added features offeredby eMail2 (creating private messages, ratings, surveys, etc.) and ispreferably responsible for all communications with the eMail2 service.The functionality of the eMail2 client plug-in can be replicated in theform of the e-mail web client interface 127.

Different versions of the eMail2 client plug-in 108 can be developed bythird party programmers for each e-mail client 101 using eMail2's APIobjects. Alternatively, the functionality of the eMail2 client plug-in108 may be integrated directly into existing e-mail clients, or may beintegrated into the operating system of the users' computers.

eMail2 Client Plug-In Global Unique Identifier [e2CPGUID]

The eMail2 client plug-in global unique identifier is a uniqueidentification key that is tied to each specific installation of theeMail2 client plug-in 108. The e2CPGUID is used in conjunction with theeMail2 User Key [e2UK] and e-Mail1 Address [e1A] in validation andauthentication with the eMail2 service server 110.

Cryptographic Engine

Cryptographic engines (FIG. 2, 115) are used by applications to encryptor decrypt data. In the eMail2 system, a cryptographic engine 115 mayexist on the client side, the service side, both, or neither. Variouscryptographic engines 115 already exist, and may be implemented intandem with eMail2 system architecture. A specialized cryptographicengine 115 called the eMail2 Interchangeable Cryptography Engine 123 isdisclosed below. The Interchangeable Cryptography Engine 123 is a partof the eMail2 system in some embodiments and is not an existingCryptographic Engine 115.

eMail2 Interchangeable Cryptography Engine [ICE]

The eMail2 ICE (FIG. 26, 123) is a type of cryptographic engine (FIG. 1,115). The eMail2 ICE (FIG. 26, 123) is an optional component of theeMail2 system. When provided, it may be part of the eMail2 service 110,the eMail2 client plug-in 108, both. The eMail2 ICE, when present,handles the encryption and decryption methods used to protect andtransport messages. The eMail2 ICE is preferably a modular encryptionsystem, allowing new encryption methods and existing third-party methodsto be integrated into the eMail2 system on a server-only level, aclient-only level, or both.

eMail2 Communication Plug-in [e2COM]

The eMail2 communications plug-in (FIG. 26, 124) is an executablesubcomponent of the eMail2 ICE 123 and is used by the ICE 123 toencrypt/decrypt each eMail2 message with a particular encryption method.e2COMs 124 are security expansion packages for the eMail2 ICE 123: eache2COM 124 contains an encryption/decryption method and is implementedthrough the ICE Application Programming Interface (API) 125. Anunlimited number of e2COMs 124 can be created and installed by thirdparty developers for use with the eMail2 ICE 123. The e2COMs may, forexample, be implemented as DLLs.

As encryption methods improve, existing encryption methods are broken,or if the business needs of a specific eMail2 service (FIG. 1, 110)requires stronger encryption, new e2COMs (FIG. 26, 124) can be developedand made available for use with one or more eMail2 services (FIG. 1,110). As subcomponents of the eMail2 ICE (FIG. 26, 123), e2COMs 124 areinstalled and registered wherever the ICE is implemented. In thepreferred embodiment, one e2COM 124 (a default) is included inside theICE 123, but custom and third party e2COMs can also be added as neededor desired by services/users. Encryption methods that may be implementedas e2COMs 124 include (but are not limited to) AES, DES, DSA, SHA1, MACTripleDES, MD5, RC2, Rijndael, RSA, SHA256, SHA384, SHA512, etc.

eMail2 Communication Plug-In UUID [e2CPUUID]

The eMail2 communication plug-in WUID is a unique identifier that istied to an eMail2 communication plug-in 124. The eMail2 plug-in (FIG. 1,108) can use the communication plug-in WUID to identify which eMail2communication plug-in (FIG. 26, 124) to use when communicating with aspecific eMail2 service (FIG. 1, 110).

b. Email2 Service

eMail2 Message [e2M]

An eMail2 message is an electronic message, including plain text, html,and/or attachments, that is sent through an eMail2 service 110. TheeMail2 message may also include public and private message content andattachments. All of the actions that can be performed with respect to aneMail2 message (creating, forwarding, replying, reading, tracking, andso forth) are facilitated by the eMail2 client plug-in 108 (or theeMail2 web client interface 127) and/or the eMail2 service 110. In someembodiments, the eMail2 web client interface 127 can actually take theplace of the eMail2 client plug-in 108, allowing users to perform allusual eMail2 message actions (creating messages, retrieving messages,replying, forwarding, etc.) across a preferably secure connection at aeMail2 service web interface (e.g. a website).

eMail2 Public Message [e2M Public]

With the eMail2 public/private message system, senders can create‘sub-messages’ within a single logical e-mail message. Thesesub-messages can be either public or private. A public eMail2 messagecan be viewed and replied to by all recipients, and is generallycontained within the “all” tab of the tabbed e-mail window interface.

eMail2 Private Message [e2M Private]

With the eMail2 public/private message system, senders can create‘sub-messages’ within a single logical e-mail message. Thesesub-messages can be either public or private. A private eMail2 messagecan be viewed and replied to only by the recipients that it isspecifically addressed to. In an e-mail conversation, the privatemessages are only retrieved by the intended recipients. Private messagesare generally displayed within tabs labeled for specific recipients inthe tabbed e-mail window interface that may include one or morerecipient per tab (See FIG. 19).

eMail2 Message ID [e2MID] and eMail2 Parent Message ID [e2PMID]

Message IDs and Parent Message IDs are embedded in eMail2 messages whenthey are created. A Message ID is the unique identifier for an eMail2message, and enables several of the extended features that eMail2offers. Every eMail2 message has a Message ID, and messages that arereplies or forwards (derivative messages) contain Parent Message IDsthat identify them as members of a specific eMail2 conversation (orthread).

If Message B is a reply to Message A, then Message B will contain both aMessage ID that uniquely identifies it as a message, as well as a ParentMessage ID that links it to Message A.

eMail2 Service/Server [e2S]

The functions of the eMail2 service (which is comprised of one of moreservers) (FIGS. 1 and 2, 110) may include but are not limited to (1)registration/activation of eMail2 users; (2) e-mail2 message storing,archiving, scanning, and retrieving; (3) introductory message creationand delivery; (4) access message creation and delivery; (5) dynamicdelivery slip creation and hosting; and (6) web services. The eMail2service 110 also preferably offers a management console that allowsadministrators to manage their member base, control server traffic flow,receive reports about system activity, and access other administrativefunctions.

The eMail2 service 110 is preferably a combination of hardware andsoftware running on one or more servers. From a client computer'sperspective, it is a single, autonomous entity that provides eMail2services, even if the actual eMail2 service 110 is distributed betweenmultiple computers or servers. The eMail2 service 110 preferably runs onthe Windows or UNIX operating systems, although it may run on anyoperating system platform. The eMail2 service data layer 120 preferablyruns on a relational database management system such as Microsoft SQLServer or Oracle, although it may run on any type of data repository.The eMail2 service can be hosted by any ISP or internally by anyorganization. It may authenticate each user, store eMail2 messages in anencrypted manner, and send and retrieve each eMail2 message. The eMail2service 110 may also log activity related to an eMail2 message andcreate and update eMail2 access messages and delivery slips accordingly.

eMail2 Service Global Unique ID [e2SGUID]

The eMail2 Service Global Unique Identifier preferably uniquelyidentifies a specific eMail2 service 110. It may be stored on both theeMail2 service 110, and on the local computer 100 of any eMail2 usersthat have activated with the specific service 110.

eMail2 User Key [e2UK]

The eMail2 user key is generated from a user's e-mail1 address and aspecific eMail2 service 110 as identified by an e2SGUID. User keys areservice-specific and are created during passive registration. In oneembodiment, the user key is embedded into the local PC registry of theuser's computer 100. In other embodiments, the user key may be stored inother locations, such as networked or removable storage. The user keyserves to uniquely identify a user when accessing a particular eMail2service 110. It is created and delivered to the user by the eMail2service 110 and, in the preferred embodiment, is always transferred in asecure manner between the different hardware components.

eMail2 Activation Code [e2AC]

The eMail2 activation code may be generated when a user registers withan eMail2 service 110. In one embodiment, a user registers by navigatingto an eMail2 service's web client interface 127 and providing his or here-mail address to the eMail2 service. An activation code is preferablycomprised of: an eMail2 user key, an eMail2 CPGUID and an e-mailaddress. The registered e-mail address becomes “bound” to the eMail2service 110. Upon providing this e-mail address, the eMail2 service 110preferably sends an eMail2 activation code (which may or may not beencrypted) via e-mail1 to the user's e-mail client 101 where it isintercepted by the eMail2 client plug-in 108 to complete the activation.

eMail2 Message Access Key [e2MAK]

The eMail2 message access key uniquely identifies an eMail2 message andcontains information about where the message is stored. It is preferablyused by an eMail2 service 110 and client plug-in 108 to track all of theactions that occur for the message.

The message access key preferably contains non-secret information whichdescribes the eMail2 message, the eMail2 service 110 from which it is tobe retrieved and the unique message ID that identifies it on the service110. The message access key might not contain any sensitive informationbut is preferably obscured by a public algorithm. This algorithm ispreferably included natively within all versions of the eMail2 clientplug-in 108, thereby allowing all eMail2 client plug-ins to decipher theeMail2 message access key. However, without the other key personalinformation (such as the eMail2 user key and possibly even the eMail2CPGUID, for example) it is impossible or difficult to retrieve themessage. See FIG. 11 and FIG. 12 for eMail2 message access key samples.The eMail2 message access key may contain (but is not limited to) thefollowing four elements:

1. The eMail2 service node (FIG. 2, 116) address or eMail2 service hostID.

2. A unique eMail2 message ID.

3. A unique eMail2 parent message ID.

4. The eMail2 message access key state.

Note that the message access key is preferably not used as an encryptionor decryption key for encrypting/decrypting eMail2 messages. Theencryption/decryption of each message is preferably the responsibilityof a cryptographic engine 115 (such as the ICE [FIG. 26, 123]) or theeMail2 client plug-in (FIG. 1, 108) itself The eMail2 client plug-inuses the message key to locate and retrieve each eMail2 message from aneMail2 service 110. If the user's e-mail address and unique user key arevalid and authenticated by the eMail2 service 110, the eMail2 clientplug-in 108 is able to retrieve the eMail2 message.

eMail2 Message Initialization [e2MI]

An eMail2 message initialization occurs when an eMail2 client plug-in108 has supplied valid credentials for message creation with a service110. The message initialization is an empty database entry in the eMail2service's data layer 120, containing:

-   -   eMail2 User Key (e2UK)    -   eMail2 client plug-in Global Unique ID (e2CPGUID)    -   Parent Message ID (for tracking replies)    -   Forward ID (for tracking forwards)    -   Message Options    -   Status (at this point, ‘initialized’)    -   Date and time of the message initialization.

A specific message initialization is identified by a Message ID. Newmessage initializations are performed for every new message, includingreplies, forwards and each private or public message. Old or unusedmessage initializations are preferably never reused for new messages.

In some embodiments, the message initialization takes place as soon asthe e-mail composition window is opened (i.e. once the user chooses tocreate a message with eMail2). In other embodiments, the messageinitialization can take place upon the send command, or during any otherevent than can be recognized by the eMail2 client plug-in 108.

eMail2 Introductory Message [e2IM]

The eMail2 introductory message is used to initiate a new eMail2 messagewith one or more recipients. In one embodiment, the introductory messageis a text-only message. It may be sent via e-mail1 or some othercommunications protocol. In one embodiment, it contains a generic“welcome” statement and a unique eMail2 message key. The introductorymessage preferably includes a hyperlink to, or URL of, an Internet sitefor downloading the eMail2 client plug-in 108. The introductory messagemay additionally or alternatively include a link to the web clientinterface 127, if this is feature enabled by the eMail2 service 110. Ifthe recipient's computing device already has the eMail2 plug-in 108installed thereon, the recipient ordinarily will not see theintroductory message, but will instead see the eMail2 access message(see description below). See FIG. 13 for an eMail2 introductory messagesample. Optionally, an applet that functions as a ‘reader’ could beattached to the introductory message. Using this bundled ‘reader,’ therecipient may be able to access and read the eMail2 message addressed tohim or her without installing the eMail2 client plug-in (FIG. 1, 108) oraccessing the web client interface 127. Any type of scripting orprogramming language could be implemented to create this applet.

eMail2 Access Message [e2AM]

The eMail2 access message is generated by an eMail2 service 110 once theintroductory message is retrieved by the eMail2 client plug-in 108 of arecipient. The access message may be automatically retrieved by theeMail2 client plug-in 108, and may dynamically replace the introductorymessage in the user's inbox. Alternatively, a user may send a “retrieveaccess message” command, using the eMail2 toolbar, to achieve the sameresult (See FIG. 27B).

While the introductory message may be sent over SMTP protocols, theaccess message is preferably retrieved over HTTP or HTTPS (or any otherTCP/IP channel). This allows increased transport security for the accessmessage. See FIG. 16 for an eMail2 access message sample.

eMail2 Delivery Slip [e2DS]

The eMail2 delivery slip (FIG. 30, 806) is preferably a web-basedextension of the access message retrieved by the eMail2 client plug-in(FIG. 1, 108) and a part of the web client interface 127. The deliveryslip (FIG. 30, 806) may display extensive tracking and relationalinformation, presenting it dynamically on a webpage. It may also includea dynamic eMail2 mailbox (FIG. 28, 801), displaying all eMail2 publicand private messages that a user has stored on the eMail2 service (FIG.1, 110). Selecting these messages may display the metadata for thatspecific message. The delivery slip (FIG. 30, 806) preferably featureshigh levels of user interactivity and customizability. All featuresavailable to a user while using the eMail2 client plug-in (FIG. 1, 108)are preferably available to a user when viewing a delivery slip (FIG.30, 806) through the use of the eMail2 web client interface (FIG. 1,127).

eMail2 Web Client Interface [e2WCI]

In embodiments that include a web client interface 127, the web clientinterface 127 is a web-based companion for the eMail2 client plug-in108. The web client interface 127 includes the eMail2 delivery slip(FIG. 30, 806). The web client interface (FIG. 1, 127) offers similarfunctionality as the eMail2 client plug-in 108 in the sense that itallows for safe, secure creation, retrieval, replying, forwarding, etc.of eMail2 messages. The web client interface 127 is preferably accessedby eMail2 users with a web browser over a secure TCP/IP connection likeHTTPS. In one embodiment, a hyperlink is included in either theintroductory message or the access message, directing the user to theweb client interface 127. In other embodiments, the web client interface127 may be accessed via a secure log-in screen on the service's website,or by a button on the eMail2 client plug-in toolbar (FIG. 27b ).

The eMail2 web client interface (FIG. 1, 127) enables fully functionaluse of an eMail2 service from a location where the eMail2 client plug-in108 is not installed. With the eMail2 web client interface 127, it isnot necessary for a user to install the eMail2 client plug-in 108 to useeMail2.

The delivery slip (FIG. 30, 806) aspect of the web client interface(FIG. 1, 127) preferably contains a ‘pre-send’ state that allows a userto set outbound message options (whether or not to enable tracking,ratings, surveys, allow replying/forwarding, etc.). These options arepreferably set through the web client interface 127 regardless ofwhether the message is being composed with the client plug-in 108 or theweb client interface 127. If the user is composing the message with theeMail2 client plug-in, this aspect may be transparent.

eMail2 Service Provider [e2SP]

The eMail2 service provider or host is similar to an ISP (InternetService Provider) but provides eMail2 services and product downloads.eMail2 service providers can host Private E-mail Networks (PENs),(essentially, private eMail2 services 110), enabling e-mailcommunication outside of the traditional e-mail networks and withoutusing the traditional e-mail protocols. An eMail2 service provider ispreferably administrated by an eMail2 Super Administrator.

Since companies can preferably host their own eMail2 services 110 (orPENs), it is possible for a company to be an eMail2 service providerwhile maintaining a company-specific eMail2 service 110. A serviceprovider is host to one or more services 110 which users may join anduse.

eMail2 Certification Authority [e2CA]

The eMail2 Certification Authority (FIG. 1, 112) is preferably acombination of hardware and software running on one or morecomputers/servers. The certification authority maintains a mapping ofuser e-mail addresses to eMail2 service providers. In some embodiments,it may also provide regular updates about the current list of availableeMail2 services 110 to all eMail2 client plug-ins 108.

Additionally, the certification authority 112 may be implemented toauthenticate eMail2 services 110. Legitimate eMail2 services arevalidated by the eMail2 certification authority 112 by means of publiclyviewable, electronically signed certificates. When an eMail2 clientplug-in 108 attempts to connect to a service 110, it may first check thecertificate provided by the service 110. If the certificate is invalidor does not exist, the eMail2 client plug-in 108 will inform the userthat the service 110 is not registered or validated with the eMail2certification authority 112. The user then has the choice to eitherignore this warning and continue, or to block this service 110 fromcommunicating with his or her eMail2 client plug-in 108.

In the preferred embodiment, the certification authority's 112validation and certification procedure is a manual process, but in otherembodiments, it may be automated.

c. Traditional E-Mail1 Servers

E-Mail Address [e1A]

An e-mail address refers to a specific e-mail account to which a usercan send and receive messages. For example, bgatesgmicrosoft.com is ane-mail address.

E-Mail1 Server [e1S]

An e-mail1 server (FIGS. 1, 103 and 105) provides a service that enablesa user to send and/or receive e-mail via any of the existing e-mailprotocols. Users' e-mail1 servers 103 and/or 105 may be hosted at theirISP or internally within an organization (e.g. MS Exchange).

E-Mail1 Message [E1M]

An e-mail1 message is an e-mail message sent using traditional e-mail1protocols such as SMTP, POP3, and IMAP.

d. Network Protocols

SMTP, POP3, and IMAP Protocols

SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used forsending e-mail. POP3 (Post Office Protocol 3) is the most recent versionof a standard protocol for receiving e-mail. POP3 is a client/serverprotocol in which e-mail is received and held by the recipient'sInternet server. Periodically, the recipient (or the recipient's cliente-mail receiver) checks a mailbox on the server and downloads any mail,typically using POP3. This standard protocol is built into most populare-mail products, such as Eudora and Outlook Express. It is also builtinto the Netscape and Microsoft Internet Explorer browsers. For moreinformation on POP3, refer to RFC 1725, RFC 1734 and RFC 1939. IMAP isanother protocol that provides the user more capabilities over POP3 forretaining e-mail on the server and for organizing it in folders on theserver. IMAP can be thought of as a remote file server. IMAP4 can beused to access multiple mailboxes and mailbox folders, as well as publicfolders. For more information on IMAP4, see RFC 2060 and RFC 2061.

Hyper Text Transfer Protocol Over SSL [HTTPS]

HTTPS is a secure TCP/IP protocol. HTTPS streams are encrypted usingboth asymmetric and symmetric algorithms. Although HTTP and HTTPS isused for illustration purposes in this document, other communicationprotocols can be used in conjunction with eMail2 methods.

4. EMAIL2 USERS AND ADMINISTRATORS

In the eMail2 system, there are users and administrators. eMail2administrators can be further divided into super administrators andservice administrators (FIG. 25, 128). The power hierarchy (from themost powerful to the least) is as follows:

1. Super administrator

2. Service administrator

3. User

Users belong to an eMail2 service (FIG. 1, 110), which is controlled byat least one service administrator (FIG. 25, 128). Services (FIG. 1,110) belong to a service provider, which is controlled by at least onesuper administrator. Service providers are preferably independent ofeach other, and as such, a super administrator for one service providerhas absolutely no control over a different service provider or theservices 110 hosted on it.

Super Administrator

Super administrators are the most powerful administrative users in theeMail2 system. Super administrators control eMail2 service providers,which host multiple eMail2 services 110. A super administrator canperform all administrative functions for the service provider as a wholeas well as all administrative functions for each eMail2 service 110. Fora given service provider, the super administrator can preferably access,search, view, and/or track eMail2 message transactions made by one ormore specific eMail2 users on any of the services 110 being hosted bythe service provider.

However, even though the super administrator has sufficient privilegesto perform administrative actions for the services 110 that the serviceprovider hosts, this is generally not the domain of a superadministrator. Preferably, specific service 110 management falls to theservice administrators (FIG. 25, 128).

Service Administrator

Service administrators 128 are a step lower than super administrators inthe power hierarchy of the eMail2 system. Service administrators 128 areresponsible for one or more eMail2 services (FIG. 1, 110) that arehosted by an eMail2 service provider. For a given service, the serviceadministrator can access, search, view, and/or track eMail2 messagetransactions made by one or more specific eMail2 users. Preferably,service administrators only have sufficient privileges to administratetheir specific services 110.

User

Users are the basic members of the eMail2 system. Users preferably donot have administrative privileges for any level of the system. eMail2users of an eMail2 service 110 are uniquely identified by a eMail2 userkey. User keys are the identifying aspect of eMail2 user accounts on aservice.

Service Conferred Status

Users may have a specific status associated with their eMail2 useraccount. Certain statuses are set by the eMail2 service 110 that thespecific user account resides on. Service conferred user statusesinclude but are not limited to:

-   -   Active: This user is a regular user of an eMail2 service 110 and        is not restricted from his or her normal operating practices.    -   Inactive: This user has been temporarily suspended by a service        administrator or a super administrator. No further actions may        be taken by this user on the specific service 110 that has        labeled him or her inactive. Reasons for flagging a user as        inactive include, but are not limited to: suspicion of fraud,        ongoing investigation, failure to pay required charges,        disregard for service rules, etc.    -   Pending approval: Some services 110 may require the completion        of an approval process before the user is able to use the        specified service 110. This approval process may be automated or        manual, depending on the requirements defined by the service        110.

User Conferred Status

In addition to service conferred user statuses, users may also beflagged with statuses by other users. Preferably, the user conferreduser statuses are not stored in the flagged user account. Rather, userconferred statuses are stored locally by the conferring user. Thesestatuses include but are not limited to:

-   -   Trusted: The flagged user is on the conferring user's trusted        list. This may result in special treatment of the flagged user        by the conferring user's client plug-in. For example, a user may        choose to always retrieve all messages received from contacts on        his or her trusted list.    -   Allowed: The flagged user is allowed to communicate with the        conferring user. No special treatment is granted to        conversations involving ‘allowed’ users.    -   Blocked: The flagged user is unable to communicate with the        conferring user. A conferring user will never retrieve messages,        or receive introductory messages, from users that they have        flagged as ‘blocked.’

Preferably, users can confer similar statuses on specific eMail2services 110. For instance, a service 110 that a user has flagged as‘blocked’ will not able to contact that member, unless it is explicitlyun-blocked.

Global User Conferred Statuses

Because statuses are preferably stored in user accounts, and aretherefore specific to eMail2 services 110, if User A blocks User B atService 1, User A has not blocked User B at Service 2. To provide forcases where, for example, User A wants to block (or trust) User B on allservices, User A preferably has the option to block (or trust) User B'se-mail1 address. Thereafter, whenever User A's eMail2 client plug-in 108encounters User B's e-mail1 address, the associated user account on theservice 110 will be blocked (or trusted).

5. EMAIL2 HIGH LEVEL PROCESS FLOW (FIG. 1)

This section describes, at a high level, a preferred process flow forsending an eMail2 message with reference to the embodiment of FIG. 1.The numbers below correspond to the reference numerals depicted in FIG.1, and indicate the major components in FIG. 1. Events A through G aredescribed in the order which component interaction occurs in a typicalembodiment of the eMail2 system.

For purposes of illustration, the various process flows are described inthis document in the context of a system in which an eMail2 clientplug-in 108 is installed on the user computing devices. In embodimentsin which no such eMail2 client plug-in is used, the steps described asbeing performed by a plug-in may alternatively be performed by thee-mail client 101, the operating system, an e-mail1-attached executableor script, or the web client interface.

Event A

A sender first creates an eMail2 message using his or her e-mail client101 in conjunction with the eMail2 client plug-in 108. The eMail2 clientplug-in is responsible for eMail2 functionality such as authenticationto the eMail2 service 110 and encryption and decryption of each locallystored eMail2 message (with the aid of the optional eMail2 ICE (FIG. 26,123), described further infra).

Event B

The eMail2 client plug-in 108 sends an authentication request, viaHTTPS, to the eMail2 service 110. The service 110 authenticates thesender by determining whether his or her credentials are valid forsending messages with a specific service 110. Credentials may include,but are not limited to, a registered e-mail1 address, an eMail2 user keyand an eMail2 client plug-in global unique ID. Once authenticated, theservice 110 creates an empty entry associated with a Message ID in theservice's data layer 120 and sends the aforementioned Message ID back tothe sender's client plug-in 108. This process is called “MessageInitialization.” The sender's client plug-in then sends the eMail2message, including metadata and attachments if any, across the secureHTTPS connection, using the Message ID to store the eMail2 message body,attachments, and message decryption key (optional) in the service's datalayer 120. Preferably, the eMail2 Message Initialization in the eMail2service's data layer 120 is only valid for the current eMail2 messagesubmission and is different for each eMail2 message and each eMail2 userauthentication.

Although the eMail2 system can, in some embodiments, be implemented suchthat a single decryption key is communicated from the sender's computer100 to the recipient's computer 100, the eMail2 system is preferablyimplemented without any such transmission. Instead, the eMail2 systemrelies on decoupled local and server encryption, with safe transmissionof data across secured protocols.

Event C

The eMail2 client plug-in 108 receives the content for an introductorymessage from eMail2 service 110, and then sends the introductory messagethrough e-mail1 to the recipient, via the sender's SMTP server 103. As aresult of using the sender's SMTP server, the recipient will receive themessage from the sender's normal e-mail address and not an addressassigned by the eMail2 service. If the recipient has a safe-list or ablack-list of any sort, it should not affect the receipt of theintroductory message, provided the recipient can normally receivee-mail1 messages from the sender. Alternatively, the eMail2 service 110can send the introductory message on behalf of the sender from theeMail2 service's own SMTP server. If the introductory message is sentthrough e-mail1, it may go through an existing local scanning client 102such as those used by conventional anti-spam and anti-virus software.The results of these scans may be added to the eMail2 access message anddelivery slip (FIG. 30, 806) that is subsequently created by the eMail2service (FIG. 1, 110). The message may also be routed through anyscanning processes 102 that may exist between the sender's e-mail1server 103 and the recipient's e-mail1 server 103. Alternatively, if anyof the recipients are registered with the same eMail2 service provideras the one chosen by the sender, the introductory message may be sentover HTTP, thus bypassing e-mail1. In one embodiment, the introductorymessage contains a generic “welcome” message (see FIGS. 13 and 17) and aunique eMail2 message access key.

Event D

The eMail2 service 110, which may be hosted by a third-party eMail2service provider, stores the eMail2 message content in an encryptedstate in the data layer 120. In the preferred embodiment, access to theeMail2 messages stored on a particular service 110 is managed by thatservice, and eMail2 services 110 work independently from one another. Inaddition, all of the replying, forwarding, transaction tracking, andevent tracking (e.g. ratings, virus scan results, etc.) for a giveneMail2 message is handled by the eMail2 service 110 that originallyserviced the eMail2 message. The logical eMail2 message sent to andstored on service 110 may be separated into multiple sub-messages, eachwith its own message ID and parent message ID. In the preferredembodiment, an eMail2 message that contains a public message to “All”and multiple private messages to individual recipients is divided suchthat each private message is a separate sub-message (with its ownmessage ID). Only the designated recipients are able to retrieve theirprivate messages through their unique access message.

Event E

The eMail2 service 110 can perform additional virus and spam scanningprocesses on the eMail2 message using scanning module 102. While thisscanning process preferably occurs after the access message is producedand delivered to the recipients, the eMail2 message can still be blockedand deleted before the recipients have a chance to retrieve it. Inaddition, if a virus is detected by module 102, service 110 may updateall of the recipients via an updated access message. If new informationbecomes available, service 110 may automatically update the accessmessage and display a warning message alerting the recipient of new andcritical information. In addition to a custom access message, recipientshave the option to view a dynamic ‘delivery slip’ before retrieving themessage. This delivery slip (FIG. 30, 806) contains information similarto that of the access message, but is web-based. In the preferredembodiment, the web-based delivery slip is a part of the web clientinterface (FIG. 1, 127), and is seamlessly integrated with sending,retrieving, replying to and viewing eMail2 messages.

Scanning module 102 may decrypt each message during the scanningprocess. Preferably, the messages are not re-encrypted once the scanningis completed.

Service 110 may also use blacklist programs so that introductorymessages from specific senders may be blocked.

Event F

The recipient's e-mail client 101 receives the introductory message fromthe sender. This message may be scanned by anti-virus/spam clients 102on the recipient's local computing device 100. If the recipient does nothave an eMail2 client plug-in 108 installed, the introductory messagemay display a welcome message inviting the recipient to install theeMail2 plug-in (see FIG. 17), a hyperlink to the web client interface127, or an attached executable that implements eMail2 client plug-infunctionality.

If the recipient does have the eMail2 client plug-in 108 installed, theclient plug-in 108 automatically retrieves the access message fromservice 110 onto the recipient's computing device 100 using the eMail2message access key in the introductory message. In one embodiment, therecipient opens the access message in order to retrieve or reject theeMail2 message. In another embodiment, the eMail2 client plug-in 108 mayautomatically prompt the user to retrieve the eMail2 message when anaccess message is received. In yet another embodiment, plug-in 108 mayautomatically retrieve the eMail2 message from eMail2 service 110 whenan access message is received or when an access message meeting certaincriteria is received.

If the recipient is given the option of manually retrieving the eMail2message, the recipient may retrieve the body of the eMail2 message andits attachment(s), the body of the message only, or simply delete theaccess message and ignore the message and its attachments altogether.eMail2 messages and attachments are stored encrypted on the service 110,so upon retrieval, the specified items are decrypted and sent to theuser over a secure (encrypted) channel.

In the preferred embodiment, recipients can reply to eMail2 messageswithout having to subscribe to any eMail2 services 110. This process isdescribed further infra. Preferably, all replies are processed by thesame eMail2 service 110 that processed the original message.

Event G

Third party applications 113 can access eMail2 services through the useof an eMail2 web services API instead of using the e-mail2 clientplug-in 108. Such web services may be customizable to differentapplications in order to provide eMail2 compliant services.

It should be recognized that the message initialization described inEvent B may occur at a different point in the process flow. Forinstance, the system may be implemented with message initializationoccurring on a send command, or during any other event that can berecognized by the eMail2 client plug-in.

6. EMAIL2 CLIENT PLUG-IN AND EMAIL2 SERVICE ARCHITECTURE (FIG. 2)

FIG. 2 illustrates the two major components of one embodiment of theeMail2 system: the eMail2 client plug-in 108 and the eMail2 service 110.

The eMail2 Client Plug-In

The eMail2 client plug-in 108 represents the client layer of the eMail2architecture. In one embodiment, the eMail2 client plug-in 108 resideson the user's local computing device 100, as depicted in FIG. 2. Inanother embodiment, the plug-in 108 may reside in a separate location,such as a networked resource, that is accessible by the user's computingdevice 100.

The eMail2 client plug-in 108 controls all of the data exchanges betweenthe user's computing device 100 and the eMail2 service 110. These dataexchanges are preferably performed through the HTTPS protocol. TheeMail2 client plug-in 108 also interacts with the user's e-mail client101 and user storage 118.

A cryptographic engine 115 preferably exists in the eMail2 clientplug-in 108. The cryptographic engine 115 is used for the encryption anddecryption of messages that are stored locally. In one embodiment, thecryptographic engine 115 is the Interchangeable Cryptographic Engine(ICE), a proprietary encryption engine.

However, the eMail2 system may be implemented so that the ICE onlyexists on the server side, and a separate cryptographic engine isdesigned or implemented for the client plug-in 108/local environment.

The eMail2 Service

The eMail2 service 110 represents the server layer of the eMail2architecture and preferably comprises two modules: the service node 116and the server admin node 117.

The service node 116 may handle service processes such as useractivation/deactivation, incoming and outgoing eMail2 message management(including encryption and decryption), and transaction tracking. Thisnode also processes the sending and updating of access messages andmessage metadata tracking (including message ratings, virus statusresults, etc.). Preferably, the service node 116 communicates with theeMail2 client plug-in 108 through HTTPS.

The server admin node 117 may be used to configure, maintain and monitoroperations performed by the eMail2 service 110. These administrativefunctions may be made available through secured, direct server access,or through the use of eMail2 application programming interfaces.

The server admin node 117 may also be responsible for user accountconfiguration. For example, this node may provide users with variousoptions or services such as eMail2 plug-in downloads, user accountmanagement (including changing configuration options for messagethreading, storing and archiving, etc.), and server summary reporting.These features can be made available via a web based interface 130 tousers, or through a web services API to third party applications.

The hardware configuration of an eMail2 service 110 supports multiplephysical servers. In one embodiment, HTTP or HTTPS communication to theeMail2 service 110 uses an “access violation” detection method. Thus,eMail2 service 110 commands in this embodiment may only be issuedthrough an eMail2 plug-in 108. In addition, data such as transactiontracking and message ratings may be displayed in a browser on the clientside but may only be retrieved by an eMail2 client plug-in 108. In otherembodiments, commands may be issued through a secure web clientinterface 127.

The eMail2 Data Layer 120

A third layer of the eMail2 architecture is the data layer 120. The datalayer 120 stores eMail2 data such as the following: Message ID, eMail2user key, eMail2 client plug-in global unique ID, message options,message status, date of initialization. The eMail2 data layer 120 isflexible, and can store more or less information depending on what isrequired of it. Although the data layer 120 is depicted in FIG. 2 assitting within the eMail2 service block, this layer may reside on acompletely different server. In addition, like an eMail2 service 110,the eMail2 data layer 120 may be split among many physical servers.

7. EMAIL2 ACCOUNT REGISTRATION AND ACTIVATION (FIGS. 3 AND 4)

FIG. 3 illustrates the components involved in the eMail2registration/activation process according to one embodiment. FIG. 4illustrates a typical workflow for this process. The numbers belowcorrespond to the reference numerals in FIG. 3. Events A through Gdescribe the typical process for registration and activation.

“Activation” refers only to the creation of a relationship between aspecific client plug-in (identified by the CPGUID), an eMail2 service110 (identified by the service GUID or SGUID) and an e-mail1 address.This relationship is created automatically when an eMail2 client plug-in108 encounters a new service 110. A user may have multiple activationsfrom multiple locations under one e-mail address, (e.g., a user may beactivated with one service 110 from both home and the office). Anactivation is essentially a registration that is specific to a givencomputer.

“Registration” refers to the process of supplying user information tothe eMail2 service 110. While a user can have multiple activations for asingle service 110 and e-mail1 address, a user can only have oneregistration per eMail2 service 110 and e-mail1 address. For thepurposes of an eMail2 service 110, there are two types of registration,‘active’ and ‘passive.’

“Passive registration” is called such because it requires no action onthe part of a user. When a user receives a new activation from ServiceA, an eMail2 user account is created on the service for that user. ThiseMail2 user account is identified by the user's e-Mail1 address and theeMail2 service 110 he or she is using. Passive registration allows auser to retrieve messages from that service and respond to them, but theuser is unable to create new messages or access extra features that theservice 110 may provide. From a user perspective, passive registrationis completely transparent. From the perspective of an eMail2 service110, however, it is important so that the service can interact with theuser while retaining reliable auditability and trackability.

“Active registration” is essentially the completion of passiveregistration. During active registration, users enter personalinformation about themselves, possibly including, but not limited to,name, address, phone number, e-mail1 address, billing information, etc.Preferably, the user information fields are entirely configurable on aper-service basis. Depending on the security policies set up by specificservices 110, active registration could be required to create new eMail2messages, as well as access any extended features the service may offer.However, this is completely configurable on a per-service basis. Certainservices 110 may require active registration before recipients are evenable to retrieve messages, or at the other end of the spectrum, they mayallow full use of the service 110 with only passive registration.

In the following workflow, it will be assumed that a service 110requires active registration before allowing the creation of newmessages, but users are able to retrieve messages with only passiveregistration.

Registering/Activating an eMail2 Account (FIG. 3)

Event A: When a user first downloads and installs the eMail2 clientplug-in 108, he or she has no activations or registrations.

Event B: If the user has an introductory message in his or her inbox,the eMail2 client plug-in 108 automatically contacts the specific eMail2service 110 and attempts to retrieve the access message. At this point,“service discovery” occurs. Service discovery occurs as follows: (i) TheeMail2 plug-in 108 recognizes an eMail2 introductory message in theinbox. (ii) Using the message access key in the eMail2 introductorymessage, the eMail2 client plug-in 108 determines whether or not it haspreviously interacted with the service 110 that sent the message. (iii)If the plug-in 108 has not communicated with the service 110 before, theuser may be given the option to allow or block communication with thespecific service 110. If the user allows communication, he or she isable to decide whether or not to trust the service 110 as well. If theuser chooses to block the communication, nothing further happens.Otherwise, the user may become passively registered with the service110, as well as activated for a specific installation of the eMail2client plug-in 108. (iv) In one embodiment, the client plug-in 108contacts a certification authority to determine whether or not theservice 110 is certified. This information can be displayed to the userwhen he or she is deciding whether to block/allow/trust the service 110.(v) If the plug-in 108 has communicated with the service 110 before, itmay remember the user's choice from the first time the service 110 wasdiscovered.

Event C: If a user does not have an existing introductory message in hisor her inbox, he or she may visit the website of the eMail2 service 110and actively register, which causes a welcome message to be sent to theuser over eMail2. Because the welcome message is an eMail2 message, thenew user receives an introductory message via the user's e-mail1 server103. The user may register and activate for the given service 110 usingthis introductory message.

Event D: Passive registration and activation occur: Passive registrationis an automatic process that is transparent to the user. When a usercontacts a service 110 for any reason, the eMail2 client plug-in 108sends the eMail2 service 110 the user's e-mail1 address. The eMail2service (identified by the service GUID) and the e-mail1 address formwhat is called an eMail2 user key, which identifies an eMail2 user usinga given eMail2 service 110. This passive registration is not enough tovalidate a user's identity, and as such, most services 110 will notallow passively registered users to use the system fully.

Activation occurs when an eMail2 service 110 receives an eMail2 user keyand eMail2 client plug-in global unique identifier (CPGUID). Theactivation is specific to a single installation of the eMail2 clientplug-in 108 (as identified by the CPGUID). If this is the first contacta user has had with an eMail2 service 110, the CPGUID may be assigned bythe service 110, the service provider or the certification authority112. Alternatively, the CPGUID may be generated at the time of theeMail2 client plug-in 108 installation. The activation, comprised of aneMail2 user key and eMail2 client plug-in GUID, is sent back to theeMail2 client plug-in 108 and stored on the user's local computer.

Event E: When an eMail2 user account is created on an eMail2 service 110through either passive or active registration, the eMail2 user key issent back to the eMail2 client plug-in 108. In one embodiment, theeMail2 client plug-in 108 stores the eMail2 user key locally, either inthe user's computer registry, or elsewhere on the client's computer. Theuser's e-Mail1 address, the eMail2 service GUID and the CPGUID may alsobe stored with the eMail2 user key. Alternatively, this informationcould be stored securely on specific eMail2 services 110.

Event F: Preferably, full registration is required before the user caneither create new messages or take advantage of the extended featuresassociated with the eMail2 service 110 he or she is using. Fullregistration involves the following steps: (1) The user visits a securedportion of the eMail2 service's website, specific to the service 110that the user wishes to register with. (2) The user is then prompted toenter identifying information. In preferred embodiments, this includesthe e-Mail1 address that the user wishes to officially associate withthe eMail2 service 110, but it can also include any other informationthe eMail2 service 110 wishes to collect, (e.g. Billing information).(3) For the registered electronic mail feature, the service 110 may alsoprompt the user to enter a password (for later retrieval of messages ortracking results from the service's website).

Event G: In some embodiments, the user can request that the eMail2service 110 and his or her eMail2 user key be registered with the eMail2certification authority 112 for future reference. Alternatively, theservice/user key registration may occur with a different entity, createdspecifically for such a purpose.

A user may subscribe to multiple eMail2 services 110 using the samee-mail address. Each subscription may have its own settings and securityoptions. Conversely, the same eMail2 service can be bound to multiplee-mail addresses of a single user. Thus, a many-to-many relationship mayexist between e-mail addresses and registered eMail2 services 110, allusing a single eMail2 client plug-in 108. For each subscription to aneMail2 service 110, a new eMail2 unique user key is generated (throughthe activation process) and registered by the user's eMail2 clientplug-in 108.

In one embodiment, if the user changes computer devices, the newinstallation of the eMail2 client plug-in must be activated again. Thisactivation can be performed by re-opening, on the new computing device,the initial introductory message (containing the activation code)received via e-mail1 or requesting a new activation code by registeringagain on the eMail2 service provider's website. Registering more thanonce with the same eMail2 service 110 (using the same e-mail address)preferably does not create multiple eMail2 user accounts. Therefore, allprevious messages are still available under the same account.

Deactivation

A user is preferably able to “deactivate” a specific installation of theeMail2 client plug-in 108. In one embodiment, “deactivation” isperformed through a secure section of the eMail2 service 110's website.If a plug-in is “deactivated” it can no longer perform any eMail2operations with respect to the affected e-mail address/eMail2 service110 combination. Thus, if the user's computer is stolen, the user canchange the password of his or her e-mail account and deactivate theeMail2 plug-in installed on that computer (for each service).

Sample Steps to Deactivate Through an eMail2 Service Provider

1. User visits the eMail2 service 110's web site and enters the e-mailaddress that should be deactivated. As described previously, anactivation is comprised of a CPGUID and a user key (the user key beingcomprised of an e-mail1 address and an SGUID). Therefore, by providing avalid e-mail1 address to a valid service, the user is essentiallyproviding his or her service-specific user key.

2. Upon submitting the request, an e-mail1 message may be sent back tothe user with a link to his or her account statement. The accountstatement may have the following fields: TABLE-US-00001 Associated LastUsed Last Used CPGUID E-mail1 Address Statement (date/time) (IP Address). . . .

3. From the account statement webpage, the user is given the option todeactivate any of the CPGUIDs that are associated with the eMail2account. Because a CPGUID is tied to a specific installation of ane-mail client (FIG. 1, 101), a user may be able to remotely prevent aspecific computer, e.g. a stolen laptop, from accessing his or hereMail2 account.

4. If deactivated, the user cannot retrieve eMail2 messages with theeMail2 client plug-in 108 for this specific account.

5. If the user chooses to reactivate a CPGUID, the process is similar tothe new registration process. A new user key is generated using thee-mail1 address and eMail2 service GUID.

6. Optionally, any or all of these steps may be protected with theimplementation of a password system.

8. EMAIL2 MESSAGE CREATION AND SENDING (FIGS. 5 AND 6)

FIG. 5 illustrates the typical components involved in the eMail2 messagecreation and sending process. FIG. 6 illustrates a typical workflow forthis process. The numbers below correspond to the reference numerals inFIGS. 5 and 6. The events A through I correspond to those in FIG. 6 andindicate the order in which the described events occur for one preferredembodiment.

From the user's perspective, creating an eMail2 message is preferablysimilar to creating a traditional e-mail message with the user's e-mailclient 101. However, as discussed later, eMail2 messages exposeadditional features to the user such as message ratings, tracking, etc.Users can also create private messages (with attachments) to specificrecipients within an eMail2 message (described further infra).

Beyond the user level, however, the process for creating and sending aneMail2 message is very different than that of an e-mail 1. FIG. 5 andFIG. 6 display the process for one embodiment in detail.

Sending an eMail2 Message (FIG. 6)

Event A: In one embodiment, the sender first selects an e-mail addressand a corresponding eMail2 service 110 from the list of services 110 heor she has previously registered with. Alternatively, if the user onlyhas one e-mail address, he or she may only select an eMail2 service 110.This selection may be performed through the e-mail client user interface(see FIG. 7) or through an eMail2 specific toolbar (See FIG. 27C, 906).

The sender then selects an option to create a new e-mail message. If thenew e-mail message is a regular e-Mail1 message, it is composed and sentin the usual manner, with no interaction from the eMail2 client plug-in108. If the new e-mail message is an eMail2 message, the rest of thisworkflow executes.

Event B: The eMail2 client plug-in 108 sends a request to the eMail2service 110, asking for permission to compose and send a new eMail2message using the specified eMail2 service 110. The request may include,but is not limited to, the following: (1) The eMail2 client plug-inglobal unique ID (e2CPGUID), (2) The eMail2 user key (e2UK).

Event C: Once the eMail2 service 110 receives and analyzes thisinformation, it determines whether or not the user is authorized tocompose and send messages using the specified eMail2 service 110. In thepreferred embodiment, this is done by checking that:

The e-mail1 address is at least passively registered (for some services,the e-mail1 address may have to be actively registered) and the plug-inis activated with the service 110. The eMail2 user key is valid for thee-mail1 address being supplied. The eMail2 CPGUID is valid for thee-mail1 address. If the user is not authorized, the workflow ends and heor she is unable to send an eMail2 message. Otherwise, the workflow willcontinue as indicated below.

Event D: The eMail2 service 110 creates an empty entry in the eMail2service's 110 data layer 120. This process is called the “messageinitialization” and potentially holds the following information:eMail2user key (e2UK); eMail2 client plug-in global unique ID (e2CPGUID);Parent Message ID (for tracking replies); Forward ID (for trackingforwards); Message Options; Status (at this point, ‘initialized’); Dateand time of the message initialization. This database entry isidentified by a Message ID.

Event E: The Message ID is sent from the eMail2 service 110 back to theeMail2 client plug-in 108.

Event F: Events B through E preferably occur in the background and areinvisible to the user. At this point, the user simply continues tocompose the new e-mail message, as per normal creation of an e-mail. Insome embodiments, when two or more recipients are specified, the eMail2plug-in 108 is able to dynamically supplement the e-mail compositionuser interface with a respective tab for each of the recipients (seeFIGS. 8, 9, and 10, 154).

Addition of a recipient-specific tab 154 to the sender's user interfacepreferably can be accomplished by clicking a button on the eMail2editing toolbar (See FIG. 27C), a button next to existing tabs 154 (orwhere tabs would be, if they existed), dragging and dropping recipientsfrom the “To:” field 150 to the tab area 154. There may also be anoption to automatically add tabs to the interface in certain instances(if, for example, there are fewer than 10 recipients). Removal ofrecipients from a given tab could take place, for example, by requiringa right-click on the recipient to be removed, followed by selection ofthe ‘remove’ option on the resulting context menu.

Each such tab 154 is selectable to access a respective message entryarea for composing a private message to the respective recipient. An“All” tab 153 is also provided to enter a “public” message that isaccessible to all of the recipients.

If the sender wishes to compose a private message to two of therecipients, the sender can drag-and-drop one tab onto another tab tocreate a new tab and private message area. This feature is illustratedat the bottom of FIG. 8, in which the eMail2 plug-in 108 has added thetab “Recipient A, Recipient B” in response to the user dragging anddropping the “Recipient A” tab onto the “Recipient B” tab, or vice versa154. In this particular example of FIG. 8, the sender can compose anon-private message to all of the recipients (A, B and C), compose aprivate message to A+B, and compose separate private messages to each ofA, B and C.

Preferably, the user can add participants to a public conversation orprivate message whenever they are creating, replying to or forwarding aneMail2 message. Preferably, the ability to remove users from privatemessages after a message has been sent is configured on a per-servicebasis. In some embodiments, removing users could be discouraged topromote message tracking and auditability. Creating new privateconversations in a reply is possible in the preferred embodiment.

Event G: When the user selects the “send” command, the eMail2 clientplug-in 108 intercepts the outgoing e-mail message. The message contentis extracted from the e-mail1 message, and sent to the eMail2 service110 across a secure TCP/IP connection. The message is considered an‘eMail2 message’ at this point. The user's identifying information(eMail2 user key, e-mail1 address, eMail2 CPGUID) and the Message IDpreviously returned by the service 108 are preferably also sent alongwith the message. The eMail2 service 110 verifies that the Message ID isvalid for the User Key, CPGUID and e-Mail1 address supplied, and thenstores the message contents (including attachments) in an encryptedstate in the data layer 120, identifying the message by its Message ID.

Event H: Once the eMail2 service 110 has received and stored the messageand its attachments, it prepares an appropriate “Introductory Message”and sends the contents to the eMail2 client plug-in 108 of the sender.

Event I: The eMail2 client plug-in 108 sends the introductory message inplace of the original message to each of the intended recipients. Theintroductory message preferably explains to the recipient that a neweMail2 message is awaiting his or her retrieval on a secure eMail2service 110. The introductory message preferably contains a messageaccess key that allows only the intended recipient to retrieve theactual eMail2 message. If the recipient user does not have the eMail2client plug-in installed, the introductory message may provide detailson how to download it.

In some embodiments, if the original e-mail message contains anyattachments, a separate file is created when the introductory message isbeing composed, describing the attachment metadata (virus scan status,size, etc.). This file can be of any type (e.g. a text file, a Word doc,an image, etc.) and is attached to the introductory message when it issent to the recipient. Because of the attached file, the recipient'se-mail client will correctly display that the message has an attachmentin the e-mail client 101 interface. There may be only one attachmentplaceholder, containing information for all of the attached files, orthere may be a separate placeholder for each attachment.

Sending the eMail2 introductory message to all intended recipients maybe done via traditional e-mail1 methods (i.e. using the sender's e-mail1server 103). The introductory message also may replace the originalmessage in the sender's outgoing messages folder.

In some embodiments and scenarios, the eMail2 service 110 is able tosend the introductory message on behalf of the user's infrastructure,through its own SMTP server. This can happen when a user's SMTP serveris unavailable. This method can also be used if a user chooses toabandon traditional e-mail (SMTP/POP3/IMAP) altogether.

It should be recognized that the message initialization described inEvent D may occur at a different point in the process flow. Forinstance, the system may be implemented with message initializationoccurring on a send command, or during any other event that can berecognized by the eMail2 client plug-in.

9. EMAIL2 MESSAGE RETRIEVAL (FIGS. 14 AND 15)

FIG. 14 illustrates the components involved in a preferred embodiment ofthe eMail2 message retrieval process. FIG. 15 illustrates a typicalworkflow for this process. The numbers below correspond to the referencenumerals in FIG. 14. Events A through D correspond to the events in FIG.14 and indicate the order in which the described events occur.

Retrieving an eMail2 Message

If the recipient does not have the eMail2 client plug-in 108 installed,the introductory message remains in the recipient's inbox and can beviewed/read by the recipient. In one embodiment, the introductorymessage invites the recipient to download the eMail2 plug-in 108 fromthe service 110's website (see FIG. 13). If the recipient does notdownload and install the eMail2 plug-in (FIG. 1, 108) in the preferredembodiment, the recipient cannot retrieve the eMail2 message, unless useof the web client interface 127 is allowed by the service 110. If theservice 110 allows use of the web client interface 127, users are ableto use it to retrieve (and perform any other actions with) the eMail2message. The recipient may still reply to the introductory message viae-mail1 if it was sent through e-mail 1.

Event A: After the recipient has installed the eMail2 client plug-in108, the plug-in automatically intercepts the introductory message andsends the recipient's e-mail address and the embedded unique message keyto the eMail2 service 110 for authentication. In most embodiments, therecipients are not required to be actively registered with any eMail2service 110 in order to retrieve eMail2 messages. If the user chooses toallow communication with a service 110 when the “service discovery”dialog is displayed, passive registration and activation occurautomatically (described elsewhere).

Event B: If the authentication is successful, the eMail2 service 110creates an access message for the recipient and transmits this accessmessage via HTTPS to the recipient's eMail2 plug-in 108. The plug-inautomatically replaces the introductory message with the access messagein the user's inbox. The access message may contain information aboutthe eMail2 message such as a text-only summary, scanning processresults, recipient names, etc. (See FIG. 18). To generate some or all ofthis message information or “metadata,” the eMail2 service 110 maygenerate a temporary, decrypted copy of the eMail2 message;alternatively, the eMail2 client plug-in 108 of the sender may generatethe message metadata before encrypting the message, and may send themetadata to the service 110 with the message and the messageinitialization information.

In one embodiment, a separate access message is generated for eachpublic and private part of an eMail2 message. Alternatively, a singleaccess message may be generated for both the public and private parts ofan eMail2 message.

Event C: The access message informs the recipient that they have a newincoming eMail2 message waiting to be retrieved (see example accessmessage in FIG. 18). With the access message, the recipient mayretrieve, reject or ignore the public and/or private parts of the eMail2message. The access message also acts as a “live link” to the eMail2message stored on the eMail2 service 110 and enables certain workflowfeatures (described further below). For example, the recipient canobtain updated data about virus scan results, the number of otherrecipients that have retrieved or rejected the message, and the ratingsassigned to the message by those recipients. In one embodiment, a singleaccess message (generated from a single introductory message) controlsthe delivery status of all elements of an eMail2 message (public,private, attachments, etc.).

With the access message, the eMail2 user is able to access the eMail2service 110's web client interface 127, where a web based delivery slip(FIG. 30, 806) may be accessed. The web based delivery slip functions inmuch the same way as the access message, but it also enables web basedmessage retrieval through an eMail2 service's (FIG. 1, 110) secure webservices.

The recipient may configure the eMail2 plug-in 108 so that eMail2messages are automatically retrieved when an access message is received.Alternatively, the eMail2 plug-in 108 may automatically retrieve thosemessages that it determines to be “safe” (for example, a text-onlymessage from a trusted sender). Recipients may also use a “Retrieve All”command to retrieve all of the messages (public and private) within aneMail2 message with a single action.

If the eMail2 message is encrypted, the recipient's eMail2 plug-in 108may also retrieve the message decryption key from its local storage, orin some embodiments, from the eMail2 service 110. The recipient's eMail2client plug-in 108 automatically decrypts the message using thisdecryption key.

Event D: Since eMail2 message attachments are stored on the eMail2service 110 and retrieved over HTTP by the recipients on demand,attachments need not have any size restrictions (as frequentlyencountered with traditional e-mail1 (SMTP/POP3) protocols). The eMail2plug-in 108 can also work in conjunction with download manager clientsto save large attachments directly on the computer storage (disk)instead of storing it in the mailbox file.

Once a recipient has retrieved a message, the same workflow featuresdescribed above apply. For example, the recipient may view virusscanning results, view the number of other users that have retrieved themessage, rate the message, etc. As recipients perform any of theseactions, they are tracked by the eMail2 service 110. In the preferredembodiment, the eMail2 client plug-in 108 monitors these operations andsends status updates to the eMail2 service 110 via HTTPS.

Attachment Retrieval

Because the attachments are preferably retrieved over HTTP or HTTPS, andbecause the system may operate in conjunction with a download manager,attachments can be downloaded from multiple streams at once, greatlyimproving download speeds. This process is similar to the way thatexisting download accelerators and managers speed up transfer speeds.

If the attachments are being downloaded from the web client interface127, conventional download managers may be configured to work with theeMail2 system. If the attachments are being downloaded from the e-mailclient 101, with the aid of the eMail2 client plug-in 108, a proprietarydownload manager may be integrated directly into the eMail2 clientplug-in 108.

Bundled Reader (Attached Executable Code)

In some embodiments of the system, a user may not need to access the webclient interface 127, download a client plug-in 108, or have the plug-in108 installed in order to retrieve the message. Message readingfunctionality can be offered by means of a bundled reader, a readingapplet or script attached to the introductory message. The attachedapplet or script can be initialized and used to display retrievedmessage data from the service 110, independent of plug-ins 108 or webclient interfaces 127.

Because messages are stored encrypted on the service 110, and becausethe message access key in the introductory message only gives thelocation of a rightfully owned e-mail message, service-wide securitywill not be compromised.

The attached applet or script can be written in Java, or any otherprogramming or scripting language available.

10. EMAIL2 MESSAGE STORAGE

Server-Side Storage

eMail2 messages (which include the header, subject, message body andattachments) are preferably stored in the eMail2 data layer (FIG. 1,120) and may be encrypted using a pair of encryption keys: the 256-biteMail2 user key and a 128-bit random number (unique to a particulareMail2 service). If the eMail2 message contains multiple public andprivate parts, each public or private sub-message may be encrypted andstored separately. Alternatively, the messages may be encrypted by one,or neither of these encryption keys.

The eMail2 Interchangeable Cryptographic Engine (ICE) (FIG. 26, 123),described further below, may be implemented on the server side or clientside for the secure storage of messages.

An eMail2 message is preferably decrypted only if: (1) a recipientretrieves the message; (2) the eMail2 service 110 performs securityscanning checks on the message content; or (3) an authorized third-partyneeds to retrieve the message.

Client-Side Storage

The eMail2 plug-in 108 may store each eMail2 message, reply, and forwardas separate entities encrypted in a special folder. This folder mayreside on the user's local computer storage (FIG. 2, 118) or analternative location such as networked storage. Encryption mayoptionally be performed by the ICE (FIG. 26, 123) if it is implementedon a client side level. In one embodiment, each stored message includesthe following information: [0368] 1. Unique eMail2 Message ID [0369] 2.Parent Message ID—used to link messages within the same thread together.This value is NULL if the message is a new message. [0370] 3. Sender'se-mail address [0371] 4. Public message ID [0372] 5. Private messageID(s) [0373] 6. Public attachment reference(s) [0374] 7. Privateattachment reference(s)

In other embodiments, more or different information can be stored withthe eMail2 message.

Options regarding sent items in the sender's inbox are configurable bythe service 110. In the preferred embodiment, with respect to “sent”messages, only the introductory message (containing the message key) isstored on the POP3 e-mail1 server. Sent messages can appear as regularmessages in the sender's mail storage. When the sender re-opens a sentmessage, the eMail2 plug-in 108 automatically fetches the actual messagecontent and metadata from the eMail2 service 110 and/or from the localclient storage (FIG. 2, 118). This content, and all of the replies, aredisplayed to the sender. However, a service 110 may not allow senders toretrieve sent messages from the introductory messages in the inbox.

11. INTERCHANGEABLE CRYPTOGRAPHIC ENGINE (ICE)

The ICE (FIG. 26, 123) is an instance of a Cryptographic Engine (FIG. 1,115). The ICE is a tool that allows developers, services orcryptologists to design and/or implement new cryptographic methods foruse with eMail2. Such cryptographic methods are preferably stored andaccessed as eMail2 communication plug-ins (FIG. 26, 124) or “e2COMs”.The ICE 123 preferably includes a default cryptographic method (e2COM124) that is a robust security solution for the storage of eMail2messages. Depending on the preferences of the users and administrators,multiple other cryptographic methods (e2COMs 124) may be implemented.These methods include, but are not limited to, AES, DES, DSA, SHA1, MACTripleDES, MD5, RC2, Rijndael, RSA, SHA256, SHA384, SHA512, etc. Newcryptographic methods are implemented in the form of eMail2communication plug-ins 124.

e2COM Validation and Distribution

In some embodiments, services, service providers, users oradministrators may design and implement their own cryptographic methods(each as an e2COM 124). To register the new e2COM 124 for use witheMail2, the cryptographic method is preferably validated by anauthority. In one embodiment, this authority is the same as the eMail2certification authority (FIG. 1, 112). In other embodiments, it may bean entirely different entity. To register an encryption method with theICE (FIG. 26, 123), the e2COM 124 containing the cryptographic method ispreferably submitted to a validation authority (such as the eMail2certification authority (FIG. 1, 112)), which validates, electronicallysigns and returns the file. Submission may occur by any method ofinformation interchange, including http or ftp transfer.

Once the new cryptographic method has been validated and signed, it canbe submitted to the ICE (FIG. 26, 123) as an e2COM 124, where it becomesregistered and available for use as a cryptographic method. FIG. 41provides a sample workflow:

Event A: A third party (FIG. 41, 143) has developed a new encryptionmethod. In order to enable use of this method in conjunction witheMail2, the third party 143 must submit the encryption method to theeMail2 certification authority 112. For new encryption methods to beused as eMail2 ICE 123 encryption methods, they must be formatted aseMail2 communication plug-ins or e2COMs 124. Once a developer hasreleased the encryption method as an e2COM 124, he or she may initiate avalidation process by submitting the e2COM 124 to the eMail2certification authority 112.

Event B: Submission may be initiated by uploading the e2COM 124 using aweb based upload interface on a secure website associated with theeMail2 certification authority 112. The submission process may also beinitiated by an FTP transfer, submission of a live link to the e2COM124, submission via an eMail2 attachment, or any other method commonlyassociated with transferring files across a network.

Event C: Once the eMail2 certification authority 112 has received asubmitted e2COM 124, it verifies that the e2COM is safe, virus free andgenerally ensures that the e2COM 124 is what it has been reported to be.This can be part of an automated process, or part of a manual review.After this, the eMail2 certification authority 112 digitally signs thespecific version of the e2COM 124 and returns it to the third party 143.The digital signature is only valid for the unmodified, returned versionof the e2COM 124. Modifications will cause the signature to becomedetectably invalid through known cryptographic techniques.

Return of the e2COM 124 can take place via eMail2 attachments, FTPtransfer, or any other method commonly associated with transferringfiles across a network.

Event D: Third parties 143 may release signed e2COMs 124 on theirwebsites, as packaged products, or bundled with certain deployments ofeMail2. When an e2COM 124 is signed, it can be submitted to a localversion (local to a service 110 or to a client plug-in 108) of theeMail2 ICE 123. The ICE 123 checks the signature against thecertification authority 112, and if it is valid, adds the e2COM 124 toits encryption library.

Subsequent to Event D, calls made to the eMail2 ICE API (FIG. 26, 125)can reference the new e2COM (FIG. 41, 124) and call the method for validencryption. Preferably, if a third party 143 chooses to upgrade orchange the e2COM 124 in any way, it must submit to the whole validationagain.

If a sender or service, perhaps utilizing complete message control,makes requirements upon the encryption methods to be used by a sender orrecipient to send, retrieve, store, reply to or forward a message, andthese requirements include using a particular e2COM 124 that may not bepresent or registered with the ICE 123 on a sender or recipient'scomputer 100, notification of these requirements may be transmitted tothe user's eMail2 client plug-in 108 or web client interface via anintroductory message or any other method of communication. The user'seMail2 client plug-in 108 or web client interface may then optionallyask the user for permission to install the e2COM and download andinstall the proper e2COM 124 by contacting the relevant eMail2 service110, the certification authority 112, or any other provider of e2COMs124.

In this way, the body of encryption methods, expressed as e2COMs 124,available to ICE 123 users is dynamically expandable: Users and eMail2services 110 may create their own encryption methods, while the ICE andemail2 systems, working in conjunction, take care of making theseencryption methods available to other users and enforcing the securityrequirements of the service or sender.

Optionally, the functionality of sender and recipients ICEs, includingacceptable or unacceptable e2COMs, may be controlled by the eMail2service 110. Within the constraints set by the service, eMail2 sendersmay, using total message control as described below, control thefunctionality of the service and recipients' ICEs insofar as it pertainsto the sender's message or conversation. Within the limits set by theservice and sender, recipients may control the functionality of theirICE. This allows for, for example, an organization to define the minimaland maximal levels of security for all eMail2 messages originating fromor traversing their organization.

Thus, a single organization may create multiple Private E-mail Networks(PENs) by creating multiple eMail2 services, each with differentsecurity settings. A user may thereafter choose the level of security ofa message they wish to send by selecting the appropriate service.

For instance, a law firm may set up one secure email service forcommunicating with clients, and another for communicating with serviceproviders. Each such service may be configured to use a particulare2COM/encryption method, such that one service provides strongerencryption than the other. Other configuration options may be separatelyspecified for each service as well.

ICE Message Encryption and Decryption Workflow

The general workflow for the preferred embodiment of ICE 123 isdescribed below. The reference numerals refer to those numerals in FIG.26. The events A through D refer to those events in FIG. 26 and describethe order in which the events occur.

Event A: The eMail2 client plug-in 108 (or eMail2 service 110) sendsdata to the ICE 123 to be encrypted, with instructions for encryptionusing a specific encryption method.

Event B: Inside the ICE 123, the list of available methods is stored ina database 126, and if the desired method exists, the ICE applicationprogramming interface 125 makes a call to the appropriate eMail2communication plug-in 124.

Event C: Using the appropriate eMail2 communication plug-in 124, the ICE123 encrypts the specified data with the specified method.

Event D: The encrypted data is returned to the eMail2 client plug-in 108(or the eMail2 service 110).

An important feature of the ICE 123 is that it is not itself anencryption solution for e-mail message storage. The ICE 123 uses aplug-in format in order to allow users or administrators the flexibilityto implement customized security solutions created by third parties intandem with the eMail2 system.

In some embodiments, the eMail2 ICE may be modified, repackaged andresold by individual security providers, using their proprietarysecurity solutions as the default eMail2 communication plug-in 124.

Seed

Preferably, embodiments include support for a custom cryptographic“seed” to begin the encryption algorithm through the ICE 123 interface,further increasing the security levels possible with the ICE 123. A seedis a numerical value that begins the mathematical encryption algorithmexecuted by a computer. Even slightly different seeds can produce wildlydifferent encryption results, and without the seed, decryption isvirtually impossible. A human-defined seed, not chosen according to anylogical rules, further strengthens encryption systems. For anunauthorized person to gain access to the encrypted data, he or shewould not only have to break the encryption, he or she would also haveto know the specific seed that began the encryption algorithm.

12. EMAIL2 MESSAGE SECURITY AND ENCRYPTION

eMail2 messages are preferably stored in the data layer (FIG. 1, 120)with at least the following fields: TABLE-US-00002 Message ID To CC BCCFrom Data 25664 terry@sys- derek@sys- <encrypted national.comnational.com message>

Preferably, the body of the message is stored as an encrypted XML file.Included in this encrypted file is the message header information,containing header elements such as recipients “To,” “CC,” “BCC,” “From,”“Subject,” etc., and their corresponding values. The message headerinformation is also stored in individual “open” (unencrypted) fields(shown above).

When the encrypted XML file from the “Data” field is extracted anddecrypted through the eMail2 administration system, notification is sentto the user that someone has accessed that specific message.

Typically, it is not necessary for administrative staff to access anddecrypt messages, but in extenuating circumstances, it may beunavoidable. This system is designed so that users are aware of thesethird party decryptions as they happen.

Verifying Header Validity

If it becomes necessary to validate the header content at any point,this can be done by comparing the header data stored in the encryptedXML file to the “open” fields in the messages table.

Because the “open” header fields in the messages table are generatedfrom the same data as the header information in the encrypted XML file,they should be the same. If they are not, that is an indication thatsomeone has tampered with the header information stored in the database.

Because there is a copy of the header information stored in encryptedform in the “Data” field, it is impossible for anyone to alter theheader data stored in the “open” fields without detection.

Encrypted Data Integrity

In some embodiments, data is transferred from the user to the serviceacross a secure SSL “pipeline” (using the HTTPS protocol). Preferably,as soon as the data reaches the service (FIG. 1, 110), the body andheader content is encrypted using the eMail2 service's encryption systemand specific algorithm “seed.” The data is stored encrypted as long asis needed. During this time, it is inaccessible to unauthorized users.

The only way to access this encrypted data is to enter the databasedirectly, extract the encrypted database entry and decrypt the XML file.This can be protected against by implementing standard databaseprotection methods. These include, but are not limited to:

-   -   Physically securing the database servers    -   Requiring password authentication to access database records    -   Limiting which administrator accounts can access database        records

E-mail1 Checksum Comparison

As an additional security option, services 110 may provide e-mail1checksum comparisons. Before the message is sent to an eMail2 service110, a message hash may be generated and stored locally by the sender'seMail2 client plug-in 108. When an e-mail1 checksum comparison isnecessary or requested, another message hash is generated at the serviceside and sent to all recipients of the eMail2 message as an e-mail1message. The sender's eMail2 client plug-in 108 can send thelocally-stored message hash to the eMail2 message recipients via ane-mail1 message. The eMail2 message recipients can compare the checksumsent by the service to the one sent via e-mail1, and may compute theirown message hash based on data received from the service 110, to verifythe integrity of the eMail2 message.

Security Configurations

The eMail2 system described can be implemented with several differentlevels of security. These will be described now. For the purpose of thisdiscussion, eMail2 data can exist at three different locations withinthe scope of the system: The client local environment (namely, theuser's computer (FIG. 33, 100)), the transit channel 136 (orcommunications protocol), and the service environment 110.

Encryption can occur to various degrees at these three locations. Thesystem can be implemented using encryption at any combination of theselocations, including all of them and none of them. [0423] Encryption ata client side 100 level occurs via a local encryption system. [0424]Encryption during transit 136 occurs via an SSL secured communicationschannel, e.g. HTTPS. [0425] Encryption at a service side 110 leveloccurs via a service side encryption system. [0426] The encryptionsystem at either the client side 100 or service side 110 can be theeMail2 ICE (FIG. 26, 123).

A matrix describing these security combinations can be found below,referred to as Security Scenarios A through H: TABLE-US-00003 ClientLocal Communications Service Environment Channel Environment AUnencrypted Unencrypted Unencrypted B ENCRYPTED Unencrypted UnencryptedC Unencrypted ENCRYPTED Unencrypted D Unencrypted Unencrypted ENCRYPTEDE ENCRYPTED ENCRYPTED Unencrypted F Unencrypted ENCRYPTED ENCRYPTED GENCRYPTED Unencrypted ENCRYPTED H ENCRYPTED ENCRYPTED ENCRYPTED

In scenarios such as G and H, when data is stored encrypted at bothendpoints (local (FIG. 33, 100) and service 110 environment), it canfurther be specified whether the data is stored encrypted using the samealgorithm, or separate (decoupled) algorithms. Additionally, senders andrecipients are able to use different encryption methods from each otherfor local storage 100.

Furthermore, in scenarios such as G and H, it can further be specifiedthat one encryption method may be implemented over top of anotherencrypted method, effectively creating “double encryption.” For example,in Scenario H, data could be encrypted at a client side 100, transferredover a secure SSL communications channel 136, and then encrypted againat the service side 110.

An implementation of any of these combinations of encryption can workcollaboratively with existing e-mail security solutions (such as PKI orPGP). Implementation of one of the security scenarios A through H at onetime does not preclude eMail2 from being implemented with a differentsecurity scenario at a different time. Additionally, eMail2 may beimplemented with the option for services and users to individuallyconfigure the security settings on a per-service, per-user basis.

Supplemental Methods of Message Encryption

In some embodiments, in addition to all other security measuresavailable for the protection of eMail2 messages, users may implement asupplemental password or passphrase on a per-message basis to furtherprotect message content.

If a user chooses to do so, he or she can add a password to the messagethat is about to be sent. Encryption of the message based upon thispassword takes place on the sender's machine (FIG. 33, 100) andpreferably in the eMail2 client plug-in (FIG. 1, 108). Thereafter,before the message can be viewed by the recipient, it must be decryptedusing the password supplied by the sender.

Preferably, the password is not communicated with the eMail2 message andnever enters the eMail2 system until entered by the recipient. Inpreferred embodiments, it is up to the sender to communicate thepassword to the recipient in an alternative manner (for example, in aphone conversation or in a face-to-face meeting).

If this security measure is enabled, the message preferably cannot bedecrypted by anyone, including the service 110 or serviceadministrators, without the sender's password.

13. MESSAGE THREADING AND PUBLIC/PRIVATE MESSAGING

Message Threading

One feature of some embodiments of eMail2 is the ability to organizeeMail2 messages as threads and to provide a threaded display to theuser. Messages are identified by their unique message ID. When aderivative message (such as a reply or forward) is created from anoriginal eMail2 message, the derivative message preferable stores theoriginal's message ID as its parent message ID (see FIG. 20). Thisdesign allows the eMail2 service (FIG. 1, 110) and eMail2 clientplug-ins 108 to combine all replies to a message into a single inboxentry. In the preferred embodiment, eMail2 messages are stored in theeMail2 data layer with at least the following fields: TABLE-US-00004Message ID Parent Message ID [E1A] Public Message . . . Message IDParent Message ID [E1A] Public Message . . . Message ID Parent MessageID [E1A] Public Message . . . Message ID Parent Message ID . . . .

eMail2 can use preorder, in-order, postorder, or level-order algorithmsto traverse the “m-way” search tree depicted in FIG. 20 to find all ofthe messages in a particular thread.

Message aggregation occurs with the help of unique Message IDs andParent Message IDs. When the user loads an e-mail client with the eMail2client plug-in 108 installed, the plug-in recognizes all related eMail2messages (originals, replies, forwards, public/private messages) anddisplays them in the e-mail client interface as a single inbox entry.The client plug-in can only perform this action if the related messagescontain the embedded Message IDs and Parent Message IDs that the eMail2client plug-in enables.

“Related messages” are still treated by the client plug-in 108 (and bythe e-mail client 101) as independent messages, but because of theMessage ID system and the eMail2 client plug-in, it is possible for thee-mail client to display them in a single logical e-mail window andinbox entry. The actual multiplicity of the single inbox entry isrendered invisible to the user through a transparent aggregationprocess.

If, at some point, the user uninstalls the eMail2 client plug-in 108,message threading functionality is lost. However, during the uninstallprocess, the user is prompted to convert all retrieved eMail2 messagesinto regular e-mail1 messages. If the user agrees to this, all of thethread items in a single eMail2 conversation will be displayed asindependent, separate items in the user's e-mail client inbox, as intraditional displays of e-mail messages, replies and forwards.

Implementation

The conversation threading feature can be implemented in the eMail2system in various ways. In one embodiment, there are two methods for theconversation threading: chronological or logical.

The chronological threading method aggregates all messages in a threadinto a single inbox entry. The ordering and organization of thesemessages rely on date and time for readability.

The logical threading method aggregates all messages in a thread into asingle inbox entry based on a logical conversation. The logicalthreading method may create multiple inbox entries if a single inboxentry is not logically readable.

Conversation Example (FIG. 35)

Provided in FIG. 35 is an example of a conversational structure. Themessages and participants named in the figure will be used to furtherexplain the threading methods disclosed further infra.

1. Person X originates a message to recipients Person Y and Person Z.

2. Person Y replies to the original message sent by Person X.

3. Person Z replies to the original message sent by Person X.

4. Person X replies to the reply sent by Person Y.

5. Person Y replies to the reply sent by Person X.

6. Person Z replies to the reply sent by Person X.

7. Person X replies to the earlier reply by Z (number 3).

Threading Method 1: Chronological Threading (FIG. 36)

Interface window 200 is a standard e-mail reading interface. It issupplemented by tabs 202, 203 and 204. The reading interface is forMessage 1, composed by Person X. This is the originating message in theconversation. In this example, Person X is reviewing the conversation,which has now grown to encompass all of the message transactionsexplained in FIG. 35.

The entire conversation (described in FIG. 35) may be displayed in thesingle reading interface window 200. Additionally, when viewing theinbox, the entire conversation may be displayed to the user as a singleentry in the inbox.

Left clicking any of the tabs 202, 203 or 204 switches the message bodywindow 201 to that particular thread. The messages are displayed oneafter another, with the newest message at the top, together withrespective date/time stamps. For tab 202 (“All”), all messages in theconversation are displayed in chronological order (the order in whichthey were sent or received). For tab 203 (“Y”), only messages sent byPerson Y are displayed in chronological order. For tab 204 (“Z”), onlymessages sent by Person Z are displayed in chronological order.

Right clicking any of the tabs 202, 203 or 204 displays the bookmarkmanager (elements 205, 206 or 207). The bookmark manager can be used tojump directly to a particular item in a conversation. For example, rightclicking the “All” tab 202 and then selecting the entry for Message 4 inbookmark manager 205 would switch the view in message body 201 to the“All” thread and jump directly to Message 4.

Although all of the post-origination e-mail messages in this example arethe result of a “reply” transaction, e-mail messages resulting from“forward” transactions may also be included in the threads, such aswhere the originator (Person X) is copied on the forwarded e-mailmessage.

Threading Method 2: Logical Threading (FIG. 37A and FIG. 37B)

FIGS. 37A and 37B illustrate another method, referred to as logicalthreading, that may be used to aggregate and display the e-mail messagesof the conversation. In this example, the entire conversation of FIG. 35is divided into two sub-conversations (FIGS. 37A and 37B) for purposesof display to Person X, the originator of the conversation.Sub-conversation 1 (FIG. 37A) consists of messages 1, 3 and 7.Sub-conversation 2 (FIG. 37B) consists of messages 1, 2, 4, 5, and 6.Each sub-conversation corresponds to one of the major branches in thetree shown in FIG. 35. Displaying the sub-conversations in this manner,as opposed to displaying the entire conversation chronologically,reduces the likelihood that Person X will lose the “train of thought”associated with each sub-conversation. Two separate inbox entries (onefor each sub-conversation) are preferably presented to Person X foraccessing these sub-conversations.

The sub-conversations are identified programmatically by, e.g.,effectively traversing the tree structure shown in FIG. 35. For example,a separate sub-conversation may be generated for each reply to theoriginal e-mail message, or for each branch emanating from the original(parent) e-mail message. Branches that include less than some thresholdnumber of e-mail messages/transactions (e.g., three) may be excluded, ormay be grouped with other branches to form sub-conversations.

As with the threaded display method of FIG. 36, the reading interfacewindows 200 of FIGS. 37A and 37B include a set of tabs 202, 203 and 204for switching between all messages of the sub-conversation, those fromPerson Y, and those from Person Z. Under each such tab, the messages areagain displayed chronologically, with the most recent message displayedat the top.

Threaded Reading Window

In all drawings, the reading interface window 200 can be viewed asanalogous to FIG. 38. FIG. 38 is a possible representation of the tabbedreading interface window 200, though other representations can stillexist without departing from the scope of the invention.

The task of generating the threaded displays as shown in FIGS. 36-38 ispreferable performed by the eMail2 client plug-in 108 or the web clientinterface 127, but may alternatively be performed in-whole or in-part bythe eMail2 service.

Alternative Embodiments

It should be recognized that these are simply two embodiments of thethreaded display feature. The message threading functionality of eMail2can be implemented in alternative embodiments without departing from thescope of the invention. As one example, in the case of logicalthreading, a separate tab may be provided viewing each sub-conversation.Further, it will be recognized that the threaded display features of theinvention can be practiced with other e-mail systems, including thosethat do not provide any form of encryption or security.

Public/Private Messaging

eMail2 supports public and private messaging within the context of asingle e-mail window. For every recipient entered into the “TO:” (FIG.8, 150), “CC:” 151, or “BCC:” 152 fields, a tab 154 can be added to thecomposition window of a standard e-mail client, either by default or bythe request of the user. The user can command to the eMail2 clientplug-in 108 that a tab be added for a specific user by a menu itemselection, a button click, a drag and drop action, or any other usualmethod of supplying computers commands. A tab for “All” is also shown153. Users have the option to enter text under a tab that is viewableonly by the intended recipient, but the composition of both public andprivate messages preferably take place within the context of a singlee-mail window. When a message is retrieved by a recipient, he or shepreferably sees the public message, as well as any private messages, inthe same tabbed interface. See FIGS. 8, 9 and 10 for examples of thetabbed interface.

If a user drags one tab onto another, a new tab is created for aspecific “group.” For example, if a user drags the tab for Recipient Aonto the tab for Recipient B, a new tab is created for “Recipient A andB.” See FIG. 8.

From a user's perspective, preferably it appears that portions of asingle e-mail are visible only to specific recipients. From the designperspective, the text entered under private tabs is treated as separatee-mail messages. The eMail2 client plug-in 108 aggregates these separatemessages and displays them in the tabbed interface 154, for both thesender and the recipient. The recipient is only able to retrieve themessage portions that he or she has permissions to (e.g. User Aretrieves messages for “All” and “User A,” but is unable to retrievemessages for User B). The retrieval of separate messages, permissions,and tabbed display is transparent to the user. It appears to the userthat he or she is simply retrieving one message with multiple tabs.

In some embodiments, both sender and recipients are able to use the“Bookmark Manager” to quickly jump to specific parts of theconversation. The Bookmark Manager is a feature of the system thatallows for easy viewing of the messages in a conversation. Selectingname in one of the tabs displays the Bookmark Manager. With the BookmarkManager, finding specific replies is simply a case of selecting thecorresponding entry from the list in the dropdown menu (which displaysthe sender, date and time) and then having the client UI jumpimmediately to that location in the e-mail conversation, which has beenconveniently aggregated. See FIG. 19 for an example of the BookmarkManager.

The creation and sending process for sending private and public messagesis the same as that for normal messages, except that separate messagesmay be entered in separate tabs.

14. EMAIL2 MESSAGE FORWARDING AND REPLYING (FIG. 21)

The process flows for forwarding and replying are preferably similar tothe flows previously described for new message sending and retrieval.FIG. 21 illustrates a typical workflow for this process.

Forwards

In the preferred embodiment, when an eMail2 message is forwarded, onlythe introductory message is sent to the new recipient. This introductorymessage preferably contains the same message key as the originalmessage. As in the normal eMail2 retrieval process, this introductorymessage then gets converted to an access message by the recipient'seMail2 client plug-in (FIG. 1, 108).

The access message presented to the new recipients preferably shows boththe sender and recipients of the original message and the sender andrecipients of the forwarded message.

Replies

In the preferred embodiment, when a reply is sent to an eMail2 service,only the reply (new content) is transferred to the service. The originalmessage does not need to be transferred because it already exists on theeMail2 service, and because the reply message contains the originalmessage's Message ID as its Parent Message ID. When the sender of theoriginal e-mail views a reply message, the sender's client plug-in 108retrieves the original message from the eMail2 service, oralternatively, retrieves this message from its local storage. In eithercase, the eMail2 client plug-in aggregates the original message, thereply message, and any other related messages (e.g., other replies) fordisplay in the active e-mail window of the e-mail client, such that allof these messages are displayed as part of the same logical e-mailmessage. (See FIGS. 36, 37 a, 37 b and 38) The task of combining therelated messages for display could alternatively be performed by theeMail2 service (FIG. 1, 110). Because the related messages preferablyshare a common parent ID, aggregating the related messages does notrequire or involve any analysis of message content to identify relatedmessages.

In some embodiments, when a user drafts a reply within his or her e-mailclient, the original message content can be locked, hidden, or madeun-editable. If the original message content is editable and the sendermakes changes to the original message, it is considered to be part ofthe reply and is transmitted as “new content.”

When replies are retrieved and displayed in a user's e-mail client 101,each tab (for each private and public sub-message) displays the sender'sname in bold text and the number of replies from that sender(illustrated in FIG. 19). Users may click on a tab to access thesender's reply. In one embodiment, clicking on the tab twice will launcha “bookmark manager.” This manager displays bookmarks to all of thedifferent replies from the same sender for each private message, andfrom all senders for the message to all.

Once a reply is read, the recipient can delete the message thread orplace it in an e-mail folder. In some embodiments, if the message threadis deleted and additional replies are received later, the message threadbecomes “active” again and reappears in the user's inbox. If the messagewas placed in a specific e-mail folder, the message remains in thatfolder but becomes active again (for example, highlighted as an “unread”message).

Blocking Forwards and Replies

In some embodiments of the system, forwarding and replying may beblocked by disabling the copy/paste functionality of the e-mail readingwindow. When a user attempts to copy text from a message that isprotected under a “do not forward” or “do not reply” policy, the userwill be unable to select the text, and a warning message may bedisplayed.

Blocking the user from selecting text may, for example, be achieved byimplementing a custom form (window) to replace the e-mail client's 100native reading window entirely.

Blocking the user from selecting text may also be achieved by displayingthe message in a format that doesn't allow for text selection, e.g. PDF,GIF, or JPEG.

Forcing eMail2 on Reply/Forward

In the preferred embodiment, forwards of and replies to an eMail2 areautomatically sent as eMail2 messages. Preferably, there is aservice-level option regarding whether or not this policy is enforced.

If enforced, users are not able to reply to an eMail2 message with ane-mail1 message, nor are they able to forward an eMail2 message as ane-mail1 message. This can be achieved by, for example, having the‘eMail2’ checkbox in the editing toolbar selected and disabled (FIG.27C, 902), and having attempts to uncheck the box result in a messageinforming the user to the effect that “This conversation is eMail2 only.E-mail1 messages are not allowed.”

If this policy is not enforced by the service, un-checking the ‘eMail2’checkbox 902 will alert the user that he or she is about toreply/forward using e-mail1, and, therefore, all security and featureupgrades for the conversation will be lost. If the user confirms, themessage will become an e-mail1 message and sent using email1 protocolsand processes.

15. EMAIL2 MESSAGE CONTROL AND TERMINATION (FIG. 22)

Some embodiments of the eMail2 system allow for complete messagecontrol. Because eMail2 messages are preferably stored only on theeMail2 service (FIG. 1, 110) that the sender selects, the sender canexert total control over the message until it is locally stored on therecipient's computer. This contrasts with the existing e-mail1 systems,where total message control generally is not possible due to astore-and-forward message management system which results in multiplecopies of the message existing in various locations.

An example of message control is the optional termination feature of theeMail2 system. Since an eMail2 message is sent to an eMail2 service(FIG. 1, 110) rather than directly to the recipient, in some embodimentssenders may have the ability to “terminate” the message/conversation andthus forbid recipients from further retrieving, replying to, orforwarding the message. There are at least two types of termination:soft termination and hard termination. When a message undergoes softtermination, recipients, including forwardees, that have alreadyretrieved, replied or forwarded the terminated message are still able toview its contents and to re-retrieve it, but all further actions areblocked. When a message undergoes hard termination, all future actions,including re-retrieval, are blocked. Preferably, administrators andother authorized 3.sup.rd parties other than the sender are able toeffect a termination. Both forms of termination apply to all eMail2e-mail messages (e.g., replies, replies to replies, forwards, etc.) thatare part of the conversation emanating from the terminated message.

Another example of complete message control, namely control offorwarding permissions, is described below. Of course, listing allcomplete message control options contemplated is not possible orpracticable. In general, complete message control includes anyfunctionality for placing conditions or restrictions on the receipt orredistribution of e-mail messages, at a time prior, contemporaneouswith, or subsequent to sending. These include message termination,message forwarding controls, including the option for requiredrecipients on forwards, message voting, virus scanning, or metadatarequirements, limits on the number of recipients, time delays before themessage may be retrieved, time- or recipient-based message expirations,limitations on local storage, requirements on the level of security atthe recipient client machine 100, including recipient authentication forretrieval or redistribution, and so forth.

In some embodiments, if a user forwards a message, he or she canterminate the thread which begins with his or her forward, leaving therest of the conversation active. Further, preferably, any messagecontrol functionality available to an original message is also availableto a forward or reply message and a public or private sub-messages. Suchfunctionality is possible due to the tree-like structure of Message andParent IDs of public and private messages, forwards, and replies.

Message Termination Workflow

FIG. 22 illustrates one example of a process flow that may be used forhard- or soft-terminating an eMail2 message.

1. Sender opens the “sent” message in his or her e-mail client, whichlinks to the eMail2 message stored on the eMail2 service 110.

2. Sender selects the “Termination” command.

3. The eMail2 client plug-in 108 sends a termination request to theeMail2 service 110 with the following information: (a) eMail2 messagekey; (b) Sender's e-mail address.

4. The eMail2 service 110 receives this request and (a) validates themessage key and the e-mail address; and (b) changes a field in the datalayer 120 to indicate that the eMail2 message has been hard- orsoft-terminated. If the conversation has been terminated, the eMail2system traverses the tree structure of an e-mail thread, collecting themessage IDs of all child messages associated with the terminatedconversation. This is possible because of the relational parent messageIDs that are a part of every eMail2 message belonging to a conversation.

5. The sender's eMail2 plug-in 108 receives a confirmation of the eMail2message's terminated state. This message may also indicate whether anyrecipients have already retrieved the message, and may identify theserecipients.

6. Once terminated, further operations are limited (replying,forwarding, etc. are disallowed) for this message. If the message hasbeen soft terminated, recipients may still retrieve the message. If themessage is hard terminated, recipients may not retrieve the message.Preferably, recipient attempts at forbidden actions cause a warningmessage to be displayed or sent to the sender or administrators.

Message Forwarding Control

As another example of message control short of termination, the processfor controlling forwarding permissions will be described. In someembodiments of the eMail2 system, senders are able to enforce a policywhich will require all recipients to request permission beforeforwarding a message to a recipient not originally included in thedistribution list. When a sender has set this policy, a recipient mayattempt to forward a message in the usual manner, but will instead bemet with a dialog informing him or her of the policy. He or she can thenchoose to “request permission” from the sender.

“Permission” can be obtained in several ways, including sending aneMail2 notification to the sender, from the service or sender, informinghim or her that there are permission requests pending. The sender maythen access the web client interface 127 and accept or reject thepermission request. The requesting recipient may then be informed of thedecision via an eMail2 message.

The actual process of forwarding may take place in at least two ways:The user may be prevented from forwarding the message at all until thepermission has been granted, or, the user may be allowed to forward themessage, but the recipient cannot retrieve it until permission has beengranted. Either method produces the same overall effect.

Optionally, a whitelist/blacklist system could be integrated. The sendercould set up a whitelist and/or a blacklist before sending the originalmessage. When a recipient attempts to forward the message, beforenotifying the sender of the permission request, the eMail2 system checksthe request against the whitelist and blacklist. If the forward addressis on the whitelist, permission is automatically granted. If the forwardaddress is on the blacklist, permission is automatically denied.

As described above, total message control preferably includes theability to control the functionality of senders, ‘recipients,’ andservices' ICEs (FIG. 26, 123).

16. EMAIL2 DELIVERY SLIP (FIG. 28)

The eMail2 delivery slip is displayed in a possible embodiment in FIG.28. The elements in FIG. 28 are customizable by service (FIG. 1, 110)and users, preferably displayed through a secure web browser connection.The webpage itself is hosted by the specific service 110 that is beingused.

The eMail2 delivery slip (FIG. 30, 806) is an aspect of the web clientinterface (FIG. 1, 127), used primarily to display eMail2 metadata in adynamic fashion. However, the delivery slip is also integral to themessage option system described further infra.

In FIG. 28, element 800 “Service Details” displays details about thespecific service that is being used for the message that the deliveryslip is displaying metadata for. This includes the service name, as wellas any accounts that a user has on the service. Accounts can be denotedby e-mail1 addresses, or any other unique identifying information.

Element 801 “Mailbox” displays all of the messages that a specific userhas on the specified services. The messages are displayed as messageentries containing at least the following metadata fields per message:date, subject, from, status. Selecting a message with the mouserefreshes the information below the mailbox to pertain to the selectedmessage.

Element 802 “Message Details” displays various metadata pertaining to aspecific message. The message details can include (but are not limitedto): the date that the message was sent, the subject line of themessage, the message ID assigned by the service, the status of themessage, the format that the message is in, the number of characters inthe message, and details about attachments. If the sender has recordedan eMail2 Voice or Video message, it is displayed in the messagedetails.

Element 803 “Message Tracking” displays metadata pertaining to thetracking of a specific message. The following metadata fields may bedisplayed:

Access Messages: Status of access message retrieval (e.g. “2/3 AccessMessages retrieved”)

Retrieved: Status of message retrieval (e.g. “1/3 Messages retrieved”)

Rejected: Status of message rejection (e.g. “0/3 Messages rejected”)

Replied: Status of message replies (e.g. “1/3 Messages replied”)

Forwarded: Status of message forwards (e.g. “0/3 Messages forwarded”)

Blocked: Status of message blocking (e.g. “1/3 Messages blocked”)

If any of these fields contain a value greater than 0, the e-mailaddresses associated with the data can optionally be displayed (e.g.“1/3 Messages retrieved: joe@e2service.com”). These tracking fields aremeant to be illustrative.

Element 804 “Options and Policies” exists in three forms, depending onthe context. If the delivery slip is being viewed after the message hasbeen sent, the options and policies element displays the settings thathave been chosen by the sender. If the delivery slip is being viewed inits pre-send state (before the message has been sent by the sender), thesender is allowed to modify all of the options and policies. If thedelivery slip is being viewed by the sender after a message has beensent, options and policies may be changed. For example, if the senderaccesses a delivery slip for a message that he or she sent last weekwith a “no-reply” stipulation, he or she may change that policy andallow replies from that point on. Options and policies may include (butare not limited to): whether or not the message can be forwarded,whether or not the message allows replies, whether or not the messagehas an expiry time (and what the time is) and whether or not ratings andsurveys are enabled for the message.

Element 805 “Virus Probability” displays various types of virusmetadata, including scans that occur on the sender's local machine, theserver's local environment, through an external virus scan API, etc. Thedelivery slip can optionally aggregate the scan results and display themas a probability value (i.e. the probability that a message contains avirus, or an attachment is infected). Alternatively, the exact resultsof all scans can be displayed.

Elements 800-805 are intended to be illustrative, not definitive.Sections on the delivery slip are highly customizable, and the sectionsthemselves, as well as the information that they contain, can be definedon a per service (or even a per-user) basis. An eMail2 delivery slip candisplay more or less information than is illustrated in FIG. 28.

17. EMAIL2 TOOLBARS (FIGS. 27A, B, & C)

In one embodiment, the eMail2 system functions on the client sidethrough the aid of three custom toolbars added to a user's e-mailclient. The toolbars described below are specifically implementedthrough MS Outlook, but may be implemented through different e-mailclients. Sample eMail2 toolbar schematics are provided in FIGS. 27A, B,and C.

Main Toolbar (FIG. 27A)

This toolbar is visible from the main window of the e-mail client. Eachof the buttons and menu options fulfill specific functions:

1. Pressing the logo button 900 opens a browser window pointed to theproduct website.

2. Dropdown menu 901 allows access to menu items, including thefollowing:

-   -   Menu item “New eMail2 Message” allows the user to create a new        eMail2 message.    -   Menu item “My eMail2 Accounts” displays a list of all the user's        relationships with different eMail2 accounts. There is a list        entry for every e-mail address/server combination. For instance,        if a user has two e-mail addresses registered and activated with        two services each, the list would have four entries.    -   Menu item “Preferences” allows access to the eMail2 client side        options (“Incoming Messages” for example).    -   Menu item “About” displays version and company information for        the specific instance of the eMail2 client plug-in installed.

3. Icon 916 “Help” opens a browser window pointed to the help section ofthe product website.

Reading Toolbar (FIG. 27b )

This toolbar is visible whenever a user is reading an eMail2 message.

-   -   1. Pressing the logo button 900 opens a browser window pointed        to the product website.    -   2. Dropdown menu 901 allows access to menu items.    -   3. Dropdown menu 906 allows access to specific commands that are        executed within the context of reading an e-mail message. These        include the following:

Menu item “Retrieve” allows the user to retrieve an access message (ifthe selected message is an eMail2 introductory message), or to retrievean eMail2 message (if the selected message is an eMail2 access message).[0546] Menu item “Update” refreshes (or re-retrieves) the content of aneMail2 access message. [0547] Menu item “Reject” blocks the message andremoves the user from the message's distribution list. It is possible todo undo a rejection, but embodiments may preferably choose not to allowrevocations of rejections. [0548] Menu item “Block Conversation”prevents a user from getting any further messages from the selectedconversation. At a later date, a user may still un-block theconversation and retrieve everything that he or she may have missed.

Menu item “Block Sender” blocks all future messages from the sender ofthe selected message. Can be un-blocked later. [0550] Menu item “BlockService” blocks all future message from the service that the selectedmessage is associated with. Can be un-blocked later. [0551] Menu item“Ignore” flags the message as ignored, so until the flag is removed,actions (for example, “retrieve all messages”) will not affect it.[0552] Menu item “Manage Service” allows the user to set preferences oroptions specific to the service. It may also allow for activeregistration. [0553] Menu item “Tell me more . . . ” opens a browserthat is pointed to the service's homepage.

-   -   4. Icon 907 “Security” denotes that this message was sent using        a secure eMail2 service.    -   5. Icon 908 “Certification Level” denotes whether a service is        certified, uncertified or trusted. The icon is a standard        green/yellow/red light traffic light. A green light means that        the user has explicitly chosen to trust the service. A yellow        light means that the service has been certified by the eMail2        certification authority. A red light means that the service has        not been certified by the eMail2 certification authority, nor is        it explicitly trusted by the user.    -   6. Icon 909 “Sender” denotes whether the message's sender is        trusted, not trusted or unknown. A checkmark denotes explicitly        trusted senders, an ‘x’ denotes not trusted senders, and a        question mark (?) denotes unknown senders.    -   7. Extension area 910 is for metadata extensions, e.g. ratings        and surveys. This section is dependant on the service that the        message uses.    -   8. Icon 916 “Help” opens a browser window pointed to the help        section of the product website.    -   9. Icon 922 “Tracking” opens a browser window pointed to the        Delivery Slip for the specific message. Optionally, other icons        may be included (e.g. “Message Details”) that open a browser        window pointed towards different aspects of the Delivery Slip.

Editing Toolbar (FIG. 27c )

The editing toolbar is visible whenever a user is composing a new eMail2message.

-   -   1. Pressing the logo button 900 opens a browser window pointed        to the product website.    -   2. Checkbox 902 allows the user to spontaneously decide whether        or not the message is an eMail2 message. Checking the box        enables eMail2 functionality. Un-checking the box disables        eMail2 functionality.    -   3. Dropdown menu 901 allows access to menu items.    -   4. Dropdown menu 906 allows access to a list of services that        the user can choose to send this eMail2 message with. The        current service is displayed on the eMail2 editing toolbar.    -   5. Icon 907 “Security” denotes that this message will be sent        using a secure eMail2 service.    -   6. Icon 908 “Certification Level” denotes whether a service is        certified, uncertified or trusted. The icon is a standard        green/yellow/red light traffic light. A green light means that        the user has explicitly chosen to trust the service. A yellow        light means that the service has been certified by the eMail2        certification authority. A red light means that the service has        not been certified by the eMail2 certification authority, nor is        it explicitly trusted by the user.    -   7. Button 915 “Policies and Options” allows a sender to set        certain options and policies for the message that he or she is        composing. This includes whether or not people can directly        reply, whether tracking is enabled, and limitless other message        options and policies.    -   8. Icon 916 “Help” opens a browser window pointed to the help        section of the product website.

The menu items and icons listed above, for all toolbars, are meant to beillustrative but not definitive. It should be recognized that options,icons and menus may be added and removed from the eMail2 toolbarswithout leaving the scope of the invention, and that toolbars may beomitted entirely in some embodiments. Additionally, certain services 110will have different options available, and the eMail2 toolbars willreflect this by displaying the options for a specific service 110,whether this entails displaying more options or less.

18. EMAIL2 METADATA EXTENSIONS

In the eMail2 system, ‘metadata’ refers to any storable information thatis associated with an eMail2 message. Metadata is typically displayed tothe user through the delivery slip (FIG. 30, 806) (part of the webclient interface (FIG. 1, 127)), introductory message and accessmessage, but other ways of displaying metadata are possible.

With the eMail2 system, the metadata collected and displayed to theusers, administrators, and third parties is completely customizable. Itis possible for eMail2 metadata to be virtually any information that acompany, organization or individual would like to collect. A specificlist of some current metadata can be found below.

Service Details: Service Name, Service GUID (e2SGUID), and Service URL.

Conversation Details: Date started, Conversation originator, Members todate, Policies enforced, Service ownership.

Message Details: Date, Sender, Recipient(s), Subject, Message ID,Summary, Status, Message Format, Character count, Attachments, Messagebody.

Tracking metadata: (a) Whether recipients have retrieved the accessmessage, (and if so, the e-mail address of the recipients who have doneso); (b) Whether recipients have retrieved/rejected/ignored the eMail2message, (and if so, the e-mail address of the recipients who have doneso); (c) Whether recipients have replied or forwarded the eMail2message, (and if so, the e-mail address of the recipients who have doneso).

Options and Policies metadata: Whether replying is enabled; Whetherforwarding is enabled; Whether ratings are enabled; Virus metadata;Infection data regarding messages; Infection data regarding attachments.

In some embodiments, in order to make full use of the metadataextensibility, metadata extension modules can be developed by thirdparties. An example for a possible metadata extension module isdisclosed below.

Incident Management

In large organizations, where incidents are reported and archived in adatabase system, an “Incident Management” metadata extension modulecould be developed or existing ones could be extended to work witheMail2. This module would allow employees to file incident reportselectronically and securely. A workflow for such a module is describedbelow.

Metadata Extension Module Workflow (FIG. 31 and FIG. 32)

Event A: An employee is involved in an incident that is normallyreported to specific parties and filed in an electronic “incidentdatabase” (external database 134).

Event B: The employee composes an e-mail message to a distribution listor alias (e.g. incident-reportgsys-national.com) using his or her e-mailclient 101 and the eMail2 client plug-in 108.

Event C: Upon clicking the send button, the employee is informed thatcertain metadata fields are incomplete. A secure browser window 130 isopened and the user is taken to a pre-send state of the delivery slipwhere a custom metadata extension module 131 is awaiting completion(FIG. 31). Custom fields, such as “Time of incident”, “Location ofincident”, “Employees involved”, etc. must be completed before the useris able to send the message.

Event D: Once the metadata extension module is filled-out, the usersends his or her message. The standard message metadata is sent to theeMail2 service 110 and the data collected in the metadata extensionmodule 131 is sent to the third party metadata extension moduleapplication 132. Alternatively, all data is sent and stored at theeMail2 service 110.

Event E: The proper parties all receive the eMail2 message informingthem of the incident. Using the existing multi-threading functionalityof the eMail2 system, private messages may be sent to various concernedparties. For example, the information received by the manager,compliance department and human resources management may differ inamount and depth. On the delivery slip for each message, recipients canview the completed incident report, filed by the sender. If privatesub-messaging occurs, it is possible that only certain pieces ofinformation are visible to certain recipients. Following this, therecipients can take the proper action for whatever the incident mighthave been.

At the same time, the organization's incident management database(external database 134) interfaces with the metadata extension moduleapplication 132, using an eMail2 API 133. The pertinent metadata isexported from the metadata extension module application 132 andintegrated into the existing organization incident database 134.

This system could alternatively be implemented so that the metadataextension module application communicates through the eMail2 service 110and not independently of it.

Metadata Export

In embodiments that allow metadata export, data is preferablytransferred securely between an external database 134 and the eMail2service 110/metadata extension module application 132. These transferspreferably occur over an SSL connection, but may make use of anychannel-securing technology available.

The eMail2 Application Programming Interface (API) 133 allows the twostorage objects to interface with each other. The external database 134gives the API 133 instructions requesting the information from certainfields, in a certain format. The eMail2 service 110/metadata extensionmodule application 132 receive these requests and send the specifieddata, formatted correctly, to the external database 134.

In other words, the eMail2 API 133 acts as a translator or mediator,allowing the two otherwise incompatible storage objects to exchangedata.

Displaying External Data with the eMail2 API

The eMail2 API 133 can also be used to display data stored in anexternal database 134 as a module 131 on the eMail2 delivery slip (FIG.30, 806). In this case, typically the process follows a similar workflowto the one above, but in reverse: (1) The metadata extension moduleapplication (FIG. 32, 132) sends a request to the external database 134(through the eMail2 API 133), asking for the data from specific fieldsin a specific format. (2) The external database 134 receives the requestand sends the data securely to the metadata extension module application132. (3) The metadata extension module application 132 displays the dataas a module 131 on the eMail2 delivery slip (FIG. 30, 806).

In this case, the eMail2 API (FIG. 32, 133) is still acting like atranslator or mediator, allowing the two otherwise incompatible storageobjects to exchange data.

eMail2 Metadata, XML and the eMail2 API

Metadata extension modules 131 are typically displayed to the userthrough the web based delivery slip (FIG. 30, 806), which is part of theeMail2 web client interface (FIG. 1, 127). The delivery slip preferablyformats and defines metadata using XML, a standard extensible markuplanguage. XML code is raw text, and interpreted by the web browser 130to display the metadata in the desired manner on the delivery slip (FIG.30, 806).

Interfacing between different external database systems (FIG. 32, 134)and the delivery slip XML is performed by the eMail2 API 133.

Other Uses

The extensible model for metadata extension modules 131 allows for thecollection, integration and display of nearly any type of data. Metadataextension modules 131 could be developed for the following areas:

Customer Service—Collecting client information and displaying it to theappropriate customer service representative.

Technical Support—Collecting system and problem information anddisplaying it to the appropriate support worker.

Contract Management—Collecting and displaying information regardingprojects, deadlines and agreements.

Medical Companies—Collecting patient information and displaying it todoctors and nurses.

Retail Industry—Displaying popular items and purchasing trends.

Any area that deals with (or could be benefited by) records keepingand/or database management.

E-mail Management

Because of the extractable metadata stored with every eMail2 message,precise and intelligent routing of eMail2 messages is possible. Forexample, for a large technical support firm, metadata regarding the typeof problem clients have may be collected. The eMail2 system can extractthis information and route the eMail2 message to the appropriate supportdepartment.

eMail2 relies on unique Message IDs as well as service definable andcustomizable metadata fields, which ensures that the messages are routedcorrectly, regardless of the subject line.

19. EVENT AND TRANSACTION-BASED TRACKING (WORKFLOW ENABLEMENT)

The client (eMail2 client plug-in (FIG. 1, 108)) and server (eMail2service 110) components of the eMail2 system work in tandem to trackvarious attributes of an eMail2 message throughout its lifecycle andpropagate that data to interested parties (such as the sender andrecipients). This feature is termed “workflow enablement.”

The eMail2 system can track both event-based and transaction-based data.For example, event-based data includes virus scanning results and userratings. Transaction-based data includes the time a message was sent,and the number of recipients that have retrieved it.

The eMail2 service 110 records, on a per message basis, allcommunications and transactions with eMail2 client plug-ins 108. Inaddition, the eMail2 client plug-in 108 actively monitors the e-mailclient 101 for any “trackable” client-side actions and automaticallyrelays that information to the eMail2 service 110 for storage.

From the user's perspective, this feature may be manifested through aworkflow toolbar (FIGS. 27A, 27B and 27C) that appears in the e-mailclient. Alternatively, these options may be directly integrated into themenu structure of an e-mail client 101.

As shown in FIGS. 27A, 27B and 27C, the workflow toolbar may allow theuser to retrieve a message, view various attributes such as messageratings, and update those attributes with the latest values from theeMail2 service (FIG. 1, 110). The types of metadata that are tracked anddisplayed to the user may differ from one eMail2 service 110 to another.eMail2 services 110 are able to implement metadata extensions, offeringdisplay of new types of metadata to users. Metadata extensions may bedeveloped by a third party, or may be enabled by new versions of theeMail2 software.

The section below discusses some of the actions and data that may beavailable to a user through the workflow enablement feature. However,note that the eMail2 architecture can track and display any type ofmessage metadata.

Synchronize Drafts Between Clients and the Web Client Interface

In some embodiments of the invention, there may be an option to savedrafts to the service 110: a user begins composing an eMail2 message inone e-mail client 101, saves it as an eMail2 draft, which in turn savesit to the eMail2 service 110. The drafts that are stored server-side maybe accessed from another e-mail client 101 at a later time. Essentially,this process synchronizes saved drafts across multiple e-mail clients101 and platforms.

This feature enables productivity gains: by synchronizing eMail2 draftsacross e-mail clients 101 and platforms, users are able to begincomposing an eMail2 message in one e-mail client 101, e.g. MicrosoftOutlook at work, and seamlessly finish composing it in another client101, e.g. Mozilla Thunderbird at home, at a later time. Preferably, theuser is able to interact with the saved draft, e.g. finish it, send it,delete it, from the web client interface 127 as well. This feature wouldbe useful, for example, at internet cafes or on shared computers.

Saving an eMail2 draft to the service 110 is preferably accomplished byan optional command on the editing toolbar (FIG. 27C).

Synchronizing drafts from a service (FIG. 1, 110) to a client 101 ispreferably done automatically by the eMail2 client plug-in 108 in thefollowing manner: When the client plug-in 108 initializes on start-up,it checks all services 110 that the user is activated/registered with tosee if there are any eMail2 drafts on the service 110 that are notpresent at the client side. If there is a discrepancy, the two sides aresynchronized. Additionally, in some embodiments, there could be a buttonon the main toolbar (FIG. 27A) to force performance of the check.Additionally, eMail2 client plug-ins (FIG. 1, 108) could check services110 at staggered, pre-defined time intervals.

Multimedia Messaging

The eMail2 system allows for secure video and voice messaging,preferably with multimedia files created and encoded “on-the-fly” andthen stored securely on an eMail2 service 110. In some embodiments, whencreating an eMail2 message, a user can add a video or voice message byrecording one through the web client interface 127.

In some embodiments, accessing the “Voice/Video Messaging” portion ofthe pre-send delivery slip (FIG. 30, 806), preferably through the eMail2toolbar button or directly from the web client interface (FIG. 1, 127)itself, allows the user to create a voice or video message that isassociated with the eMail2 message that he or she is composing.

When a recipient receives a message with an associated voice or videomessage, he or she is preferably notified of its receipt, preferably byan icon displayed on the reading toolbar (FIG. 27B). Utilizing the“Voice/Video Messaging” button or icon takes the user to the portion ofthe web client interface (FIG. 1, 127) where he or she can view videomessages or listen to voice messages.

Media Recording and Service Side Storage (FIG. 34)

In embodiments that include multimedia messaging support, media may becaptured on-the-fly by an embedded web component (the multimediarecording interface 140) in the delivery slip. In the preferredembodiment, the multimedia recording interface 140 is a flash component,or, more generally, any type of web component.

Recorded media is preferably captured as a stream by the multimediarecording interface 140 and stored directly on a server controlled bythe eMail2 service 110. This multimedia data can optionally be encryptedby the eMail2 ICE (FIG. 26, 123), or another form of multimediaencryption. Stored media 142 is preferably associated with a specificmessage ID.

Sample Workflow for a Preferred Embodiment (FIG. 34)

1. A user 138 creates a new eMail2 message and types whatever message heor she would like to send in a normal e-mail.

2. Before sending the message, the user presses the “Voice/VideoMessaging” button and is taken to the multimedia recording interface140, an interface for recording video and voice messages. The multimediarecording interface 140 is a part of the web client interface 127. He orshe is able to record a video or voice message (depending on preferencesand available hardware).

3. The recorded data is streamed directly to the eMail2 service 110 andstored as stored media 142. Stored media 142 may be encrypted duringstorage.

Upon sending the eMail2 message, the video or voice message isassociated with the eMail2 message and is available for viewing orlistening by the intended recipients of the eMail2 message.

Multimedia Retrieval

In some embodiments, multimedia data that is intended for a recipientmay be retrieved through the multimedia viewing interface 141, a part ofthe web client interface (FIG. 1, 127). The recipient may access thissection of the web client interface 127 by pressing a “Voice/VideoMessage” button or icon on the reading toolbar (FIG. 27B) or directlyfrom the web client interface (FIG. 1, 127), or any other suitablemeans.

The multimedia player is embedded into a section of the delivery slip(the multimedia viewing interface 141), and once the user haslegitimately accessed the delivery slip (FIG. 30, 806), he or she isable to play the media file using the controls on the multimedia viewinginterface (FIG. 34, 141).

Viewing/Listening Workflow (FIG. 34)

1. A user 139 receives a new eMail2 message and is informed that itcontains an associated voice or video message.

2. After reading the normal message content, the user presses the“Voice/Video Messaging” button and is taken to the delivery slipcontaining an embedded multimedia player (multimedia viewing interface141).

The user is able to watch or listen to the media file directly from thedelivery slip. Stored media 142 is streamed from service 110 to themultimedia viewing interface 141. Recipient 139 can view this mediausing the embedded multimedia player, the multimedia viewing interface(FIG. 34, 141).

Multimedia Security

Multimedia data may be stored encrypted on the eMail2 service (FIG. 1,110) that it is hosted on. This encryption can be performed via the ICE(FIG. 26, 123), or with any other available encryption system. Media canbe protected during transit by streaming it across an SSL connection(such as HTTPS).

As an added measure of security, senders may encrypt multimedia messagesusing a specific password that is independent of the eMail2 system. Thesender may then use an alternative method of communication, suchtelephone, face-to-face, etc., to deliver the password to the recipientbefore the recipient may access the protected video message.

Attachment Vs. Association

In preferred embodiments, the media file is associated but not attachedto the eMail2 message. Attachment refers to the process of attaching aseparate file to an e-mail1 or eMail2 message and sending it to arecipient along with the message (or allowing the recipient to retrieveit along with the message, in the case of eMail2). In someimplementations, media files are associated with eMail2 messages.Association refers to the process of storing the file on the eMail2service (FIG. 1, 110) and linking the file to the eMail2 messages usingthe eMail2 message ID.

Benefits of Streaming Media

In preferred embodiments, media is not retrieved to a user's localenvironment. Rather, media is provided to the recipient by means of astreaming media player (multimedia viewing interface 141). Because ofthis, users do not need to concern themselves with downloading theproper player software, securely storing multimedia files or decodingspecial formats. There is one format and one player, both defined by theeMail2 service (FIG. 1, 110), and both seamlessly integrated into theweb client interface 127. The processes of encoding, decoding,formatting, etc., are completely transparent to the user.

Retrieve, Reject, Ignore, Block

The “Retrieve,” ‘Reject,” “Ignore” and “Block” options are available tothe user in the context of an access message. On “Retrieve”, the eMail2client plug-in (FIG. 1, 108) preferably first triggers an “Update” toensure that the latest version of the access message is displayed to theuser. If the updated access message contains critical information thatthe recipient should be made aware of, a warning message preferably isdisplayed. If the updated access message contains no criticalinformation, the eMail2 plug-in 108 then proceeds to retrieve themessage(s).

Recipients may choose to retrieve, reject, or ignore parts of an eMail2message including, but not limited to, the following:

-   -   1. The entire eMail2 message    -   2. Only the public message    -   3. Only the private messages    -   4. All of the attachments    -   5. Only the public attachments    -   6. Only the private attachments

For example, upon reviewing an access message, a recipient may choose toinitially retrieve the public and any private messages, but not theattachments. After reviewing the message content, the recipient may thenchoose to retrieve the attachments, or may close or delete the e-mailwithout ever retrieving the attachments.

Recipients may choose to block components of the eMail2 systemincluding, but not limited to, the following:

-   -   1. The sender of the message    -   2. The e-mail2 service 110    -   3. The conversation

Each of the above actions is tracked and recorded by the eMail2 service110.

Blocking the sender and service 110 are both self explanatory, butblocking the conversation is more complex of an action.

Blocking conversations is preferably performed by recording theoriginating message ID, and traversing down the tree of message IDs andparent message IDs, determining all related messages and blocking eachof them. From the perspective of the eMail2 system, this processessentially blocks all new messages depending on their relationship toan undesired thread. From a user perspective, this process istransparent and blocking a conversation is a single logical action.Traversal for blocking purposes may be accomplished by the email2 clientplug-in 108 or the email2 service 110.

If a message is sent as HTML and the recipient is unsure about itscontent, eMail2's optional “Retrieve text scan only” can automaticallyscan the HTML body of the message and retrieve only the text portions(ignoring images, code, etc.). Generally, if the message is sent in anynon-plaintext form, the eMail2 system allows for retrieval of either atext-only version or an image-format representation.

Update

In some embodiments, the “Update” option is available to a user in thecontext of an access message or a sent/retrieved eMail2 message. Itupdates on the client-side all of the message metadata tracked by theeMail2 service 110. The command can also be used to retrieve replies andcomments to the eMail2 message. Preferably, “Update” is automaticallycalled by the eMail2 plug-in 108 whenever an eMail2 message window isopened by the user or before any Retrieve/Reject command is performed.

As an example, a user may use the “Update” option to refresh, over aperiod of time, the virus scan results displayed in a particular accessmessage. If the results indicate that a number of other recipients'computing devices have scanned the e-mail message associated with theaccess message and found no virus, the user may then decide to retrievethe e-mail message.

Tracking

In some embodiments, the “Tracking” option is available to a user in thecontext of an access message or a sent/retrieved eMail2 message. Itdisplays message transaction data that is collected by the eMail2service (FIG. 23, 110) and stored in the data layer 120 (see FIG. 23).Events A and B refer to the same named events in FIG. 23.

Event A: All the activity related to either an access message or aneMail2 message is tracked in real time by the eMail2 service 110 and theresults are stored in the data layer 120. They are available to both thesender and the recipient(s), depending on the outgoing options set bythe sender. Such tracked activity includes the ‘Retrieve’, ‘Reject’,‘Forward’ commands, etc.

Event B: The original message can be forwarded by any recipient to anyother recipients (depending on the outgoing options set by the originalsender) and all their activity is also tracked by the service 110.

Tracking information is preferably displayed to the user through webservices, as a web based delivery slip (FIG. 30, 806) in the web clientinterface (FIG. 1, 127) that is customizable in appearance. See FIG. 28for a visual representation of the delivery slip.

In one embodiment, “tracking” may be disabled for a specific eMail2message. In this case, the eMail2 service 110 preferably still logs alltransaction activity but the results are not available for display tothe users.

The transaction data can include, but is not limited to, the following:

-   -   1. When the eMail2 message was created/sent/received by the        eMail2 service.    -   2. To whom the eMail2 message was sent.    -   3. When the eMail2 message was        retrieved/rejected/deleted/ignored by each recipient, and what        parts of the message were retrieved (public, private,        attachments, etc.).    -   4. When the different recipients replied to the eMail2 message        and to whom they replied.    -   5. When the different recipients forwarded the eMail2 message        and to whom they forwarded, as well as all tracking activity for        the forwarded messages.    -   6. Recipients' IP addresses and other network information.    -   7. Digital signatures for each user (if used).

For threaded messages, transaction data may be displayed on a per-itembasis, or different levels of summaries may be provided (e.g., a summaryfor an entire conversation, a summary for different combinations ofmessages, a summary beginning and ending at specific dates, etc).

Authenticated external applications can use eMail2's XML web services toperform the same tracking tasks via an API that may include (but is notlimited to) the following calls:

-   -   1. GetTrackingInformationForE2M (Parameters: E2K, E2S);    -   2. GetTrackingInformationForE2U (Parameters: E1A, E1S, E2S)

P2P Event-Based and Transactional Data: Ratings and Surveys

In some embodiments, eMail2 provides P2P (peer-to-peer) event-based andtransactional functions that link the users with a unique message ID anda series of ‘user to action’ based functions. These event-basedfunctions are preferably available to a user in the context of an accessmessage or a sent/retrieved eMail2 message. Such functions includerating and survey systems for e-mails where recipients can, prior toretrieving a given message, see if other recipients found the messagevaluable. Preferably, every operation of these features and informationsummaries sends a request to the eMail2 service and opens either withinthe eMail2 client plug-in (FIG. 1, 108) or in a new browser windowthrough a specific, hidden URL call (secure web site hosted by theeMail2 service provider), unique to the current eMail2 user to view theresults.

As an example, the ratings feature allows message recipients to rate aneMail2 message based on any desired criteria, and view the ratingsassigned to the message by other recipients. In the preferredembodiment, a recipient may view the aggregated rating for an eMail2message within the context of a access message, but may not enter arating if he or she has not yet retrieved the message. A recipient mayboth view the aggregated rating and enter a rating for a retrievedmessage. A sender may view the aggregated rating for a sent message, butmay not enter a rating. In some embodiments and scenarios, a sender orrecipient may be blocked from viewing all rating information for anaccess message or message.

The eMail2 system may track any type of data as a “rating.” In oneembodiment, the rating may be a numerical value. In another embodiment,the rating may be a value from a predefined list of values (e.g. “highlyuseful,” “useful,” “not useful”). These predefined values may bepresented as a set of buttons, icons, or other user interface elementsfor purposes of allowing recipients to rate the emails they retrieve. Inyet another embodiment, the rating may include free-form text commentsentered by a user. When a recipient rates an e-mail message, the eMail2client plug-in 108 of the recipient transmits the rating to the eMail2service 110 on which the e-mail message is stored together with messageID of the e-mail message, allowing the eMail2 service 110 to store therating data in association with the e-mail message.

In the preferred embodiment, the eMail2 system allows users to viewratings within the context of a single message (e.g. the e-mail messagewindow) and multiple messages (e.g. the “inbox” view of an e-mail client101). In the case of displaying ratings of multiple messages, the ratingmay appear next to or as part of the subject line so that users need notopen each message/access message to get this information. The eMail2system may also allow users to view the number of recipients that haverated the message (e.g. “3 out of 4 recipients rated this message asuseful,” or “average rating=3.5 on a scale of 1 to 5 (rated by 6people)”), and/or separately view the rating given by each individualrecipient.

In addition to assisting users in avoiding having to read e-mailmessages of little value, the ratings feature enhances the security ofthe eMail2 system by providing users with additional information aboutwhether a message should be retrieved. For example, if a recipientdiscovers that the message contains a newly discovered virus, he or shecan rate the message accordingly to alert recipients even beforeanti-virus clients are updated to identify the virus. A “do not open” or“virus detected” rating button may be provided in the e-mail viewingwindow for this purpose.

The rating feature may be provided by the eMail2 service providerthrough the use of third party applications (FIG. 30, 129).Alternatively, it may be implemented directly within the eMail2 system.

Implementation of third party applications can be done securely viaeMail2 web services, using a web API. The following workflow correspondswith FIG. 30 and illustrates a typical secure communication with athird-party application 129:

Event A: The eMail2 client plug-in 108 contacts the eMail2 service 110with a request for a security token (T.sub.K).

Event B: The eMail2 service 110 receives the request, and because thereis a third party application 129 associated with the service 110, thethird party application 129 sends a separate security token (T.sub.K2)to the eMail2 service 110.

Event C: The eMail2 service 110 sends both the security token (T.sub.K)and the security token (T.sub.K2) to the client plug-in 108.

Event D: The eMail2 client plug-in 108 sends both the security token(T.sub.K) and the security token (T.sub.K2) to a web browser 130.

Event E: The web browser 130 consumes the security token (T.sub.K) andopens a secure connection between the browser 130 and the eMail2 service110, displaying metadata in the delivery slip 806. The web browser 130consumes the security token (T.sub.K2) and opens a secure connectionsbetween the browser 130 and the third party application 129, displayingthe custom information in the third party extension 807, in the deliveryslip 806.

The system may also be implemented in such a way that the third partyapplication 129 communicates directly with the service 110 so thatduring Event E, there is only one secure communication channel necessary(between the browser 130 and the service 110.

Web services may also be implemented so that an eMail2 service 110 canalso link different third party applications 129 with the unique eMail2message IDs and the e-mail addresses of the sender and recipientsinvolved. In this way, rating and survey engines can be configuredthrough the eMail2 service 110 and eMail2 plug-in 108 and return summaryor detailed information about each user's input on a specific eMail2message. This feature of eMail2 can also be described as a “link user toaction” process where third party applications 129 can send requests viaeMail2 methods and thus track the activity of each user. This feature ofeMail2 can also be responsible for linking into Social Networkingapplications whereby eMail2 messages considered of value can beforwarded to a user's trusted recipient list. Data export may beperformed by means of an XML feed over a secure connection, or any otherstandard method of data streaming over a secure connection.

Security between third party applications 129 and an eMail2 service 110may be guaranteed by way of a certificate system implemented by theeMail2 service 110. However, the eMail2 system preferably does notinherently implement certificate systems between services 110 and thirdparty applications 129. Ensuring that the third party applications 129themselves are secure is also a responsibility of the service 110employing them.

Status & Virus

In some embodiments, the “Status” and “Virus” actions are available to auser in the context of an access message or a sent/retrieved eMail2message. They display the aggregated results of anti-spam and anti-virusscanning that is performed on an eMail2 message.

For example, such scanning may occur on the sender's computer (FIG. 1,100) before the message is sent, on the eMail2 service 110, and onrecipients' computer 100. The results of all of these scans are trackedby the eMail2 service 110 and displayed through these attributes. Withthis data, recipients can hold on to an access message and monitor thescanning status of the message using the “Update” command beforeretrieving the actual message content or attachments.

Like the ratings attribute, the “status” and “virus” attributes may bedisplayed within the context of a single message (e.g. the e-mailmessage window) and multiple messages (e.g. the “inbox” view of ane-mail client)

The “Virus” and “Status” values may be calculated differently by eacheMail2 service 110 depending on the programs used to perform thescanning. For example, the following results can be displayed:

-   -   1. If the value of “Virus” sent by the eMail2 service is “true”,        then the title for the “Virus” tab is shown with a warning        message.    -   2. If the value of “Status” sent by the eMail2 service is        “SpamTrue”, the title for the “Status” tab is shown as “Status:        Spam” with a warning message.

The Status command can calculate an average by combining a number offactors, such as the number of people that retrieved the message, ratingresults, and virus probability. The virus probability may be weightedaccording to the results of anti-virus programs that offer virusprobability functions.

The eMail2 system may also include a virus scanning method that usesAPIs from large virus scanning companies. The implementation of this APIsystem would allow programs (such as the eMail2 client plug-in 108 orthe eMail2 service 110 software) to send files for virus scans atexternal virus scan websites. After the files are verified as “clean,” acertificate is returned to the eMail2 application. eMail2 is able totake advantage of this and use the infrastructure of external sites(i.e. virus scanning sites) to verify the integrity of messages andattachments.

Metadata Export

In some embodiments, through the use of a web services API, the eMail2system can export all forms of eMail2 metadata to third party programs129. This is commonly done in the form of an XML feed, but otherprocesses for achieving the same result are possible.

As an example, an advertising company may wish to export large amountsof message retrieval metadata and aggregate it so that they can see thenumber or percentage of e-mail messages that have been retrieved overthe entire course of an e-mail campaign.

Metadata Export Workflow

In preferred embodiments, data is generally transferred between theeMail2 service and the user via XML feeds over secure networkconnections. Therefore, the workflows for all metadata extensions shouldbe very similar. A possible workflow for a survey engine developed by athird party is provided as an example:

-   -   1. A user receives an eMail2 message containing a survey.    -   2. Accessing the survey via a custom “Survey” button on the        eMail2 reading toolbar (FIG. 27B) directs the user to the        delivery slip, specifically pointed at the survey section.    -   3. A series of questions or items are provided within the        context of the delivery slip. The user answers the questions and        submits them using a submission button the delivery slip.    -   4. The data is sent to the third party survey application (an        example of FIG. 30, 129) as an XML feed where it is integrated        into an existing database.    -   5. If the survey is private, the survey section of the delivery        slip is replaced by a message thanking the user for his or her        participation, as well as anything else the survey company        wishes to display (a link to their website, for example).    -   6. If the survey is public, the third party survey application        129 could send back averages/popular responses/statistics and        display them in the survey pane of the delivery slip.

20. CLIENT SIDE EMAIL2 CONFIGURATION OPTIONS

The configurable options for the client side of the eMail2 system can bedivided into at least two logical sections: Incoming Message Options andOutgoing Message Options. Additional sections, such as signaturepreferences, are contemplated herein.

Incoming Message Options

The “Incoming Message Options” deal with all aspects of incomingmessaging. They are defined by the user from the eMail2 client plug-inOptions or Preferences menu, and affect the local security andpreferences for a single installation of the eMail2 client plug-in (FIG.1, 108). Options may include but are not limited to the following (FIG.24):

-   -   1. Auto retrieve e2AMs [checkbox]    -   2. Auto retrieve e2Ms according to the following filters:        [checkbox]        -   a. Services            -   i. All services [radio button]            -   ii. Trusted services [radio button]        -   b. Members            -   i. All members [radio button]            -   ii. Trusted members [radio button]        -   c. Message Format            -   i. All messages [radio button]            -   ii. Text only messages [radio button]        -   d. Attachments            -   i. All messages [radio button]            -   ii. Messages with no attachments [radio button]    -   3. Auto activate with:        -   a. All services [radio button]        -   b. Certified services [radio button]        -   c. No services [radio button]        -   d. Auto-trust services I activate with [checkbox]

The above set of options is represented in a visual form by FIG. 24.

Outgoing Message Options

The “Outgoing Message Options” deal with the user's preferences foroutbound messaging. They are typically set in the pre-send state of thedelivery slip (FIG. 30, 806) through the web client interface (FIG. 1,127), and are preferably not stored locally on a client 101 or clientplug-in 108. Accessing the pre-send delivery slip requires a user toinitialize a message (open a composition interface for a new eMail2message) and then select either “tracking” or “message options.” Thisopens a secure browser connection for a delivery slip (FIG. 30, 806)that is specific to the message that the user is creating. The user maythen change options pertaining to the message. The message options mayinclude but are not limited to the following:

-   -   1. Access Message        -   a. Disclose Recipients [checkbox]        -   b. Include Subject line [checkbox]        -   c. Include message summary [checkbox]        -   d. Include virus scan results [checkbox]        -   e. Include number of characters [checkbox]        -   f. Include status [checkbox]    -   2. Tracking        -   a. Allow tracking [checkbox]    -   3. Expiry Times        -   a. set expiry date and time for message [checkbox] [textbox]        -   b. set expiry date and time for attachments [checkbox]            [textbox]    -   4. Force Format on Retrieval        -   a. Only allow recipients to retrieve text only versions            [radio button]        -   b. Only allow recipients to retrieve messages in the format            that I send them in [radio button]        -   c. Allow recipients to choose message format [radio button]    -   5. Ratings & Surveys        -   a. Enable Ratings [checkbox]

Signature Preferences

eMail2 supports existing signature systems. The eMail2 signaturepreferences contain at least (but not limited to) the following options:

-   -   1. Signature        -   a. Include VCard with each message [checkbox]        -   b. Text/HTML Signature [checkbox]        -   c. URL [checkbox]

In the preferred embodiment, although the signature preferences areembedded within the e-mail client (FIG. 1, 101), the sender's signaturedoes not need to be included within the body of each message. Rather,the signature may be uploaded to the eMail2 service 110 and availablefor download by a recipient at any time. In some embodiments, the“Text/HTML Signature” is a function offered by the eMail2 service 110whereby a networked storage location is available to create differentsignature types using various third party programs (FIG. 30, 129).Finally, in some embodiments, the “URL” signature option pointsrecipients to a web address where they may access the profile for thesender.

21. EMAIL2 ADMINISTRATION AND SERVICE CONFIGURATION OPTIONS

eMail2 Administration

Service configuration options are set by administrators. In the eMail2system, there are two types of administrators: Super administrators andservice administrators (FIG. 25, 128). There is a hierarchicalrelationship between super administrators, service administrators andusers (with super administrators occupying the highest level of thehierarchy).

Service administrators control a specific eMail2 service (FIG. 1, 110).Service administrators have administrative privileges for allconfiguration options that fall under the realm of a service 110.

Super administrators control service providers, hosting companies thatmay or may not be corporately affiliated with the services 110 that theyare hosting. Super administrators hold full administrative privilegesfor all the configuration options of all of the services 110 hosted on aservice provider.

The eMail2 service configuration options are set by an eMail2 serviceadministrator through a secure service administration web interface. Anexample of the service administration web interface can be seen in FIG.29.

Preferably, the administration web interface is viewed as two sets oftabs (157 and 158) and one dropdown menu 159. Super administrators haveaccess to all levels of the tabs. Service administrators have access toall of the second level tabs under “services,” for their specificservice 158. If a single individual is a service administrator for twoor more services that are hosted on one service provider, he or shepreferably will have access to all of the second level tabs under“services” for each service that he or she administrates.

The top level tabs 157 include: Home, Services, Users, Skins andSettings. The second level tabs are different depending on the top leveltab selected. The dropdown menu 159 is different depending on the secondlevel tab selected. A more complete architecture for the serviceadministration web interface is described at the end of this section.

eMail2 Service Configuration Options

Possible configuration settings for specific services (FIG. 1, 110)include but are not limited to, the following:

-   -   1. The default text to be included with each introductory        message. This is configured by means of an “IM Template” in the        service admin options. The IM template is a text entry that        provides the default introductory message format. Placeholders        are used for variables, such as names, dates, message IDs,        summaries, etc. For example, if an admin wanted to set the        introductory message to display the Message ID, he or she might        include the text “-ID:% int-msgid %” in the IM template. All of        the metadata that can be displayed within an eMail2 introductory        message has a placeholder associated with it. For certain        services 110, individual users may be able to override the        default IM template.    -   2. The default text to be included with each access message.        This is configured by means of an “IM Template” in the service        admin options. The AM template is a text entry that provides the        default access message format. Placeholders are used for        variables, such as names, dates, message IDs, summaries, etc.        For example, if an admin wanted to set the access message to        display the number of characters in a message, he or she might        include the text “-Number of characters:% int-bodycount %” in        the IM template. All of the metadata that can be displayed        within an eMail2 access message has a placeholder associated        with it. For certain services 110, individual users may be able        to override the default AM template.    -   3. The default message options (e.g. Allow Tracking, Allow        Forwarding, Allow Replying). These message options can, if the        service 110 allows it, be modified by users on a per-message        basis. An example of the interface for determining service        options, default values and over ride rights is visually        represented in FIG. 40.    -   4. The length of time eMail2 messages are stored on the eMail2        service 110, (this can be overridden for specific users or        groups of users).    -   5. The DNS string or IP address to be included with each message        (so eMail2 client plug-ins 108 can determine which service to        use). There are preferably two DNS strings or IP addresses: one        for the Service URL and one for the dynamic web-based Delivery        Slip URL.    -   6. Whether to allow users to use the eMail2 service's 110 SMTP        server to send outgoing introductory messages, as well as        whether this option is enabled by default. Additionally,        administrators are able to set the address of the SMTP server        that the eMail2 service 110 uses for e-mail1 communications.    -   7. Whether recipients of an eMail2 message are required to        register with the service 110 before they can        retrieve/reply/forward using it. An example of an interface for        determining such security settings is visually represented the        security matrix of FIG. 39.    -   8. Whether certain domains are blocked from registering with the        service 110. Alternatively, whether ONLY certain domains may        register with the service 110.    -   9. The ability to define new administrator accounts.    -   10. Skin Captions. Customized graphical and textual elements for        companies that are displaying web-pages integral to the eMail2        system. Service administrators are able to customize the        appearance of all web interfaces pertaining to a specific        service 110 by using the skin captions.    -   11. In the case of registered e-mail, service administrators may        optionally be able to retrieve archived messages from the eMail2        service 110, for use in disputes. In the preferred embodiment,        this action alerts users that their e-mail conversation has been        audited, and that it has been retrieved by service        administrators.    -   12. The encryption system for the service 110 (possibly        configured through use of the ICE (FIG. 26. 123)).

If two companies exchange eMail2 messages and each runs its own eMail2service (FIG. 1, 110), they can link their services using the eMail2 webservices API. This would allow the services to share the trackinginformation stored on each service 110.

These options above, as well as the architecture below, are meant to beillustrative and not definitive. It should be recognized that optionsand interface architecture may be added at a later date without goingbeyond the scope of the invention.

eMail2 Service Administration Web Interface Architecture

The following is one possible menu system for the interface described inFIG. 29.

-   -   1. Home        -   1.1. Dashboard        -   1.2. Search        -   1.3. Advanced Search        -   1.4. Usage Statistics    -   2. Services        -   2.1. Services Directory            -   2.1.1. Home            -   2.1.2. Properties            -   2.1.3. Members            -   2.1.4. Usage Statistics            -   2.1.5. Settings                -   2.1.5.1. Assign Skin                -   2.1.5.2. Security                -   2.1.5.3. Throttle                -   2.1.5.4. Domain Manager                -   2.1.5.5. SMTP            -   2.1.6. Permissions            -   2.1.7. Fields            -   2.1.8. API                -   2.1.8.1. Data Export                -   2.1.8.2. Crypto                -   2.1.8.3. LDAP    -   3. User        -   3.1. Properties        -   3.2. Permissions    -   4. Skins        -   4.1. Skin Directory            -   4.1.1. Properties            -   4.1.2. Permissions        -   4.2. Caption Sets Directory            -   4.2.1. Edit            -   4.2.2. Permissions        -   4.3. Image Sets Directory            -   4.3.1. Edit            -   4.3.2. Properties    -   5. Settings        -   5.1. Hardware Configuration        -   5.2. User Settings        -   5.3. Update Manager        -   5.4. An example of a Security Matrix

22. REGISTERED ELECTRONIC MAIL

The end-to-end encryption, message storage, and message trackingfeatures of eMail2 enable “Registered Electronic Mail” for systems inwhich these features are embodied. Registered electronic mail is basedon the same architecture and feature set as plain eMail2. The primaryworkflow difference is that recipients may be required to register withthe eMail2 service (FIG. 25, 110) chosen by the sender before being ableto retrieve their messages.

The typical process for registered electronic mail is described, withreference to FIG. 25, below:

Equipped with a unique Message Access Key, authorized parties (such asservice administrator 128) can access the archived eMail2 messagesstored in the service data layer 120 and preferably find them in theiroriginal state, encrypted and available for later consultation.Certified copies of messages and attachments can be made available asimages, PDF or any other format over the web. Alternatively, registeredelectronic mail services 110 can also forward certified paper copies tosolve any disputes between the parties involved.

Because the messages are encrypted and stored on the secure eMail2service 110, the content and attachments of the messages cannot betampered with by users for their entire lifecycle.

23. THIRD PARTY APPLICATION SERVER

Another embodiment of the present disclosure is described below withreference to FIGS. 42-45. FIG. 42 depicts a secure messaging system 300,according to one embodiment of the present disclosure. The securemessaging system 300 includes a server system 320 including a processor322 configured to execute a secure messaging service program. The securemessaging system 300 further includes a sender computing device 310including a processor 312 configured to execute a program that displaysa client graphical user interface (GUI) 314. The sender computing device310 is configured to receive input of a message from a sender via theclient GUI 314. In some embodiments, the sender computing device 310 maycommunicate with the server system 320 via an API 316. For example, theclient GUI 314 may be a GUI of an application program such as a billingsystem that sends billing information to the server system 320 via theAPI 316. In other embodiments, the sender computing device 310 may beconfigured with an application program having GUI 314 that communicatesdirectly with the server system 320, rather than communicating via anAPI executed on the sender computing device 310.

In some embodiments, the message may be received from the sender via aclient plug-in running on the sender computing device 310. In otherembodiments, the message may be received from the sender via a webbrowser running on the sender computing device 310. The client plug-inor web browser may display the client GUI 314. The message may includeany combination of text, speech, one or more images, video, or othertypes of content.

In some embodiments, the message may be an e-mail message. An examplee-mail message 400 is schematically depicted in FIG. 43. The e-mailmessage 400 may include an SMTP e-mail address 402 associated with thesender. The e-mail message 400 may also include a subject line 404and/or a message body 406. In some embodiments, the e-mail message 400may further include at least one of an attached file, a calendar invite,a signature request, and a fillable form.

Returning to FIG. 42, the sender computing device 310 is furtherconfigured to receive input of a send command from the sender via theclient GUI 314 to send the message to a recipient designated by thesender. In some embodiments, the sender computing device 310 may receiveinput of a send command to send the message to a plurality ofrecipients. In response to the send command, the sender computing device310 is further configured to send the message over a secure channel tothe server system 320. The secure channel may be an HTTP, HTTPS, or TLSchannel. The server system 320 is configured to receive the message andstore the message in encrypted form. In some embodiments, the serversystem 320 may authenticate the sender. For example, the server system320 may prompt the sender to enter a password or biometric data, and maycompare the entered password or biometric data to a password orbiometric data stored on the server system 320.

The server system 320 is further configured to generate a substitutemessage after receiving the message. An example substitute message 420is schematically depicted in FIG. 44. In the example embodiment of FIG.44, the substitute message 420 is a substitute e-mail message. Thesubstitute message 420 lacks at least some message content of themessage 400 of FIG. 43. For example, the substitute message may lack oneor more of the SMTP e-mail address 402 of the sender, the subject line404 of the e-mail message, and, when the message 400 includes anattached file 408, the file name 410 of the attached file 408.

The substitute message 420 further includes a link 428 that providesfunctionality to authenticate the recipient and to securely retrieve themessage 420 from the server system 320. In some embodiments, the link428 may be a link to a web client interface that points to a web sitethat provides functionality for accessing the message 400 via aweb-based interface. In such embodiments, the web-based interface may bea web browser. In other embodiments, the link 428 may be a link thatpoints to an application server that provides functionality foraccessing the message 400 via an in-application interface. Thein-application interface may be an interface of a client plug-in runningon the sender computing device 310. The link 428 further includes amessage access key 430. The message access key 430 includes a messageidentifier 432 identifying the message 400 and a service host identifier434 indicating to the recipient a network accessible address of theserver system 320 at which the message 400 is stored. The message accesskey 430 may be encrypted. The message identifier 432 may uniquelyidentify a location of the message 400 on the server system 320.

Returning to FIG. 42, the server system 320 is further configured totransmit the substitute message 420 to the sender computing device 310via the secure channel. The sender computing device 310 is furtherconfigured to send the substitute message 420 from the sender computingdevice 310 to a third party application server 330 for transmission to arecipient computing device 340. In some embodiments, the sendercomputing device 310 may be further configured to receive a securitytoken from the third party application server 330. In such embodiments,the sender computing device 310 may be further configured to open asecure connection between the sender computing device 310 and the thirdparty application server 330, wherein opening the secure connectionincludes sending the security token to the third party applicationserver 330. The third party application server 330 may include aprocessor 332 configured to execute an SMTP relay API 334, and thesubstitute message 420 may be sent to the SMTP relay API 334 of thethird party application server 330. The substitute message 420 istransmitted from the sender computing device 310 to the third partyapplication server 330 over a secure channel, which may be HTTP, HTTPS,or TLS. The substitute message 420 may be further transmitted from thethird party application server 330 to the recipient computing device 340over an SMTP protocol.

The server system 320 is further configured to receive a request foraccess to the message 400 stored at the server system 320 from therecipient computing device 340. The recipient computing device 340 mayinclude a processor 342 configured to send the request for access to theserver system 320 over HTTPS or TLS. The request is generated based onthe message access key 430 in the link 428 in the substitute message420. For example, the request may be generated in response to therecipient opening the link 428 in a web browser. In some embodiments,the server system 320 may be further configured to receive recipientdata including a recipient address from the recipient as part of therequest for access to the message 400. The server system 320 is furtherconfigured to transmit the message 400 to the recipient computing device340 via a secure communications protocol. The secure communicationsprotocol may be HTTPS or TLS. In embodiments in which the server system320 receives recipient data, the server system 320 may transmit themessage 400 to the recipient computing device 340 via a securecommunications protocol, based on the recipient data.

FIG. 45 shows a flowchart of a method 500 for use with a securemessaging system, which may be the secure messaging system 300 of FIG.42. The method 500 includes steps 502, 504, and 506, which are performedat a sender computing device. First, the method 500 includes a step 502of receiving input of a message from a sender via a client GUI. Themessage received from the sender may be an e-mail message. Inembodiments in which the message is an e-mail message, the e-mailmessage may include at least one of an attached file, a calendar invite,a signature request, and a fillable form. At step 504, the method 500further includes receiving input of a send command from the sender viathe client GUI to send the message to a recipient designated by thesender. In some embodiments, the sender computing device may receiveinput of a send command to send the message to a plurality ofrecipients. At step 506, the method 500 may include sending the messageover a secure channel to a server system. The secure channel may be anHTTP, HTTPS, or TLS channel.

The method 500 further includes steps 508, 510, 512, and 514, which areperformed at the server system. At step 508, the method 500 includesreceiving the message. At step 510, the method 500 further includesstoring the message in encrypted form. At step 512, the method 500further includes generating a substitute message after receiving themessage. In some embodiments, the substitute message may be a substitutee-mail message. The substitute message lacks at least some messagecontent of the message, which may include one or more of an SMTP e-mailaddress of the sender, a subject line of the e-mail message, and a filename of the attached file. The substitute message includes a link thatprovides functionality to authenticate a recipient and to securelyretrieve the message from the server system. The link includes a messageaccess key, which includes a message identifier identifying the messageand a service host identifier indicating to the recipient a networkaccessible address of the server system at which the message is stored.In some embodiments, the link may be a link to a web client interfacethat points to a web site that provides functionality for accessing themessage via a web-based interface. In other embodiments, the link may bea link that points to an application server that provides functionalityfor accessing the message via an in-application interface. At step 514,the method 500 further includes transmitting the substitute message tothe sender computing device via the secure channel.

The method 500 further includes step 516, which is performed at thesender computing device. At step 516, the method 500 includes sendingthe substitute message from the sender computing device to a third partyapplication server for transmission to a recipient computing device. Thesubstitute message is transmitted from the sender computing device tothe third party application server over a secure channel, which may bean HTTP, HTTPS, or TLS channel. In some embodiments, the substitutee-mail message may be transmitted to the third party application servervia an SMTP relay of the third party application server. The substitutee-mail message may be transmitted from the third party applicationserver to the recipient computing device. The substitute e-mail messagemay be transmitted to the recipient over an SMTP protocol.

The method 500 further includes steps 518 and 520, which are performedat the server system. At step 518, the method 500 includes receive arequest for access to the message stored at the server system from therecipient computing device. The request is generated based on themessage access key in the link in the substitute message. For example,the request may be generated in response to the recipient opening thelink in a web browser. At step 520, the method 500 includes transmittingthe message to the recipient computing device via a securecommunications protocol.

24. CONCLUSION

The various features and functions described above may be implemented incode modules that are executed by general purpose computing devices. Thecode modules may be stored on any appropriate type of computer storagedevice or memory.

As will be apparent, numerous modifications can be made to the systemand methods described above without departing from the scope of theinvention. The invention is defined only by the following claims.

1. A secure messaging system comprising: a server system including aprocessor configured to execute a secure messaging service program; anda sender computing device including a processor configured to execute aprogram that displays a client graphical user interface (GUI); whereinthe sender computing device is configured to: receive input of a messagefrom a sender via the client GUI; receive input of a send command fromthe sender via the client GUI to send the message to a recipientdesignated by the sender; and send the message over a secure channel tothe server system; wherein the server system is configured to: receivethe message; store the message in encrypted form; generate a substitutemessage after receiving the message, said substitute message lacking atleast some message content of the message, and including a link thatprovides functionality to authenticate a recipient and to securelyretrieve the message from the server system and further including amessage access key including a message identifier identifying themessage and a service host identifier indicating to the recipient anetwork accessible address of the server system at which the message isstored; and transmit the substitute message to the sender computingdevice via the secure channel; wherein the sender computing device isfurther configured to: send the substitute message from the sendercomputing device to a third party application server for transmission toa recipient computing device, wherein the substitute message istransmitted from the sender computing device to the third partyapplication server over a secure channel; and wherein the server systemis further configured to: receive a request for access to the messagestored at the server system from the recipient computing device, therequest being generated based on the message access key in the link inthe substitute message; and transmit the message to the recipientcomputing device via a secure communications protocol.
 2. The securemessaging system of claim 1, wherein the message is an e-mail message.3. The secure messaging system of claim 2, wherein the e-mail messageincludes at least one of an attached file, a calendar invite, asignature request, and a fillable form.
 4. The secure messaging systemof claim 3, wherein the substitute message lacks one or more of an SMTPe-mail address of the sender, a subject line of the e-mail message, anda file name of the attached file.
 5. The secure messaging system ofclaim 2, wherein the substitute message is a substitute e-mail message,the substitute e-mail message is transmitted to the third partyapplication server via an SMTP relay of the third party applicationserver, and the substitute e-mail message is transmitted from the thirdparty application server to the recipient computing device over an SMTPprotocol.
 6. The secure messaging system of claim 1, wherein the serversystem is further configured to: receive recipient data including arecipient address from the recipient; and transmit the message to therecipient computing device via a secure communications protocol, basedon the recipient data.
 7. The secure messaging system of claim 1,wherein the link is a link to a web client interface that points to aweb site that provides functionality for accessing the message via aweb-based interface.
 8. The secure messaging system of claim 7, whereinthe web-based interface is a web browser.
 9. The secure messaging systemof claim 1, wherein the link is a link that points to an applicationserver that provides functionality for accessing the message via anin-application interface.
 10. The secure messaging system of claim 1,wherein the sender computing device is further configured to: receive asecurity token from the third party application server; and open asecure connection between the sender computing device and the thirdparty application server, wherein opening the secure connection includessending the security token to the third party application server. 11.The secure messaging system of claim 1, where the message is receivedfrom the sender via a client plug-in running on the sender computingdevice.
 12. A method for use with a secure messaging system, the methodcomprising: at a sender computing device: receiving input of a messagefrom a sender via a client GUI; receiving input of a send command fromthe sender via the client GUI to send the message to a recipientdesignated by the sender; and sending the message over a secure channelto a server system; at the server system: receiving the message; storingthe message in encrypted form; generating a substitute message afterreceiving the message, said substitute message lacking at least somemessage content of the message, and including a link that providesfunctionality to authenticate a recipient and to securely retrieve themessage from the server system and further including a message accesskey including a message identifier identifying the message and a servicehost identifier indicating to the recipient a network accessible addressof the server system at which the message is stored; and transmittingthe substitute message to the sender computing device via the securechannel; at the sender computing device: sending the substitute messagefrom the sender computing device to a third party application server fortransmission to a recipient computing device, wherein the substitutemessage is transmitted from the sender computing device to the thirdparty application server over a secure channel; and at the serversystem: receiving a request for access to the message stored at theserver system from the recipient computing device, the request beinggenerated based on the message access key in the link in the substitutemessage; and transmitting the message to the recipient computing devicevia a secure communications protocol.
 13. The method of claim 12,wherein the message is an e-mail message.
 14. The method of claim 13,wherein the e-mail message includes at least one of an attached file, acalendar invite, a signature request, and a fillable form.
 15. Themethod of claim 14, wherein the substitute message lacks one or more ofan SMTP e-mail address of the sender, a subject line of the e-mailmessage, and a file name of the attached file.
 16. The method of claim13, wherein the substitute message is a substitute e-mail message, thesubstitute e-mail message is transmitted to the third party applicationserver via an SMTP relay of the third party application server, and thesubstitute e-mail message is transmitted from the third partyapplication server to the recipient computing device over an SMTPprotocol.
 17. The method of claim 12, wherein the link is a link to aweb client interface that points to a web site that providesfunctionality for accessing the message via a web-based interface. 18.The method of claim 12, wherein the link is a link that points to anapplication server that provides functionality for accessing the messagevia an in-application interface.
 19. A secure messaging systemcomprising: a server system including a processor configured to executea secure messaging service program; a third party application server;and a sender computing device including a processor configured toexecute a program that displays a client graphical user interface (GUI);wherein the sender computing device is configured to: receive input of amessage from a sender via the client GUI; receive input of a sendcommand from the sender via the client GUI to send the message to arecipient designated by the sender; and send the message over a securechannel to the server system; wherein the server system is configuredto: receive the message; store the message in encrypted form; generate asubstitute message after receiving the message, said substitute messagelacking at least some message content of the message, and including alink that provides functionality to authenticate a recipient and tosecurely retrieve the message from the server system and furtherincluding a message access key including a message identifieridentifying the message and a service host identifier indicating to therecipient a network accessible address of the server system at which themessage is stored; and transmit the substitute message to the sendercomputing device via the secure channel; wherein the sender computingdevice is further configured to: send the substitute message from thesender computing device to the third party application server, whereinthe substitute message is sent from the sender computing device to thethird party application server over a secure channel; wherein the thirdparty application server is configured to: transmit the substitutemessage to a recipient computing device; and wherein the server systemis further configured to: receive a request for access to the messagestored at the server system from the recipient computing device, therequest being generated based on the message access key in the link inthe substitute message; and transmit the message to the recipientcomputing device via a secure communications protocol.
 20. The securemessaging system of claim 19, wherein the message is an e-mail message,the substitute message is a substitute e-mail message, the substitutee-mail message is transmitted to the third party application server viaan SMTP relay of the third party application server, and the substitutee-mail message is transmitted from the third party application server tothe recipient computing device over an SMTP protocol.